shaolindoman has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks, I'm fairly new to perl/cgi web programming and I wondering if someone could help. First, I need to develop a way for users to login to my site, yet restrict access to certain parts (I really don't want to use cookies but if need be then so be it). Also, this needs to be fairly secure since the services provides are far from cheap. Second, I also am developing a checklist shoping cart. I have a crdit card validator right now, but I need a way to encrypt the numbers and send them over as well as other personal information in a secure manner. Lastly, in terms of the login script, what is the best way (or how I should say) to keep passwords secure, yet allow users to change their passwords if they wish. Thank you, Nick
  • Comment on Credit Card Encryption and Login Validation

Replies are listed 'Best First'.
Re: Credit Card Encryption and Login Validation
by hardburn (Abbot) on Jun 15, 2004 at 19:30 UTC

    For transfering data from the shopper to the server, just setup SSL. No additional programming necessary.

    If you don't want cookies, then there are various ways to do the same thing. All of them suck to some degree or another (I include cookies in this statement). One way is to have a unique session ID (which you would otherwise put in a cookie) and have it posted as a parameter via a hidden form field or the link.

    For sending the credit cards from your server to the people who need to process the order, I suggest e-mail using Crypt::OpenPGP and setup the order processing people with GnuPG. I've done this with several people where I work, and I find that they can at least do the simple decryption as long as you've walked them through it and stood over their shoulder while the keys are being created. Not necessarily the best solution, though for us it's currently our only option until we can afford to develop something better.

    ----
    send money to your kernel via the boot loader.. This and more wisdom available from Markov Hardburn.

[reply]
Re: Credit Card Encryption and Login Validation
by bradcathey (Prior) on Jun 15, 2004 at 19:41 UTC
    shaolindoman, to be blunt, it also sounds like you are new to e-commerce. You are raising significant issues, important ones, but thorough answers are beyond the scope of a single reply. Here's some starting points:
    First, I need to develop a way for users to login to my site, yet restrict access to certain parts (I really don't want to use cookies but if need be then so be it)
    Super Search PM for topics on passwords (here's a taste and ways you can handle them. Some use cookies, some use a database like MySQL. But to restrict users to particular areas you will probably need to develop two levels of navigation, and either be checking the DB or cookies as they move from page to page. Using the database for users and passwords will also answer your last question. MySQL has an encryption feature, but you can look at modules like Crypt::CBC and many others.
    Second, I also am developing a checklist shoping cart. I have a crdit card validator right now, but I need a way to encrypt the numbers and send them over as well as other personal information in a secure manner
    You need to have a secure certificate (like Verisign) filed with your host (they do the encrypting). However your credit card validator's gateway will require a rigorous protocol for authenticating user info—and all of them are a little difference. So, to answer your question, much of this is handled by virtue of the fact you have followed standard e-commerce procedures.

    There's lots of reading out there. Good luck.

    —Brad
    "Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton
[reply]
Re: Credit Card Encryption and Login Validation
by valdez (Monsignor) on Jun 16, 2004 at 08:34 UTC
[reply]

Back to Seekers of Perl Wisdom