colinb444 has asked for the wisdom of the Perl Monks concerning the following question:

I have a number of html forms in perl programs/subroutines in which i need to pass variables. No problem for most of the variables which are placed in 'hidden' fields. Two of the variables are the users username and password which i do not want to put in 'hidden' fields as this is not very secure. The only thing i can think of doing is storing these variables in a tempory file in my cgi-bin directory and deleting it when the forms are finished. My question is, would this be any more secure, or is there a better way of doing this. Thanks
  • Comment on Secure way of passing variables between forms

Replies are listed 'Best First'.
Re: Secure way of passing variables between forms
by blue_cowdawg (Monsignor) on Dec 27, 2005 at 21:37 UTC
        My question is, would this be any more secure, or is there a better way of doing this.

    There are more ways of doing this than you'd might imagine. Some ways are quite inventive. Let me run a few by you:

    • Persistant Storage: If you have the means of implementing some sort of persistant storage and creating unique ids for given sessions (see CGI::Session) then you can set up something like a database table where you store values and keys. A table might look like: 
      create table session_vars (
session_var_id integer not null 
               default nexval ('session_var_id_seq') 
               primary key, 
session_id     varchar(180) not null,
session_var    varchar(180) not null, -- or whatever size makes sense
session_value  varchar(180) not null -- again... what makes sense
);

      [download]
      You'd then store the values and retrieve them between pages as appropriate. You'd also need some logic in place in your code that detects that a session has expired and cleans that table out periodically of expired information.
    • Encryption: I've seen more than one scheme used by application programmers where the hidden fields were actually encrypted between pages. Seems like a lot of trouble to go to from where I sit, but it is a valid approach. The encryption key would be stored on the server and something like Blowfish used for encryption/decryption.

    There's two approaches, I'm sure other monks can come up with other ways.

    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
[reply]
[d/l]
Re: Secure way of passing variables between forms
by ptum (Priest) on Dec 27, 2005 at 21:27 UTC
[reply]
Re: Secure way of passing variables between forms
by davis (Vicar) on Dec 27, 2005 at 21:36 UTC
    Two of the variables are the users username and password which i do not want to put in 'hidden' fields as this is not very secure
    Eh? define "secure"... Does it mean that no-one will ever, ever be able to find out that information? or does it mean that it would never be worth anyone's while to find out that information?

    To be honest, I think you're thinking in the wrong direction. You would certainly want to minimize the traffic of the users' names and passwords (ie never send the information more than once), and you should encrypt information while it's in transit (ie use SSL). The differences in security of HTML hidden fields and any other type of (HTTP) transmission I can think of are minimal.

    The normal (and probably "best") way of doing it is something like this: offer the users an HTML form over SSL, in which they enter their identifying information -- their authentication -- you then check the supplied credentials, assign privileges -- their authorization -- and give the user a token (often an HTTP cookie) which you can verify to be correct and unmolested (eg via cryptographic signatures). That way, the username and password is only entered and passed once, and you check the validity of the cookie at each subsequent stage.

    That's enough parentheses for one post... happy new year.


    davis
    Kids, you tried your hardest, and you failed miserably. The lesson is: Never try.
[reply]
Re: Secure way of passing variables between forms
by kwaping (Priest) on Dec 27, 2005 at 21:55 UTC
    The most secure way of protecting data is to not transfer it at all. Is there a way you can avoid passing the password, at least? If it were me, I'd encrypt the username then pass only that data instead of the user/pass combo.

    As far as encryption goes, it's scaleable depeding on how secure you want to make it. If you just want a light encryption that's very easy, but not incredibly secure, you should explore MIME::Base64. Technically, it's an encoding and not a true encryption, but I think it's good enough to keep the most unsophisticated snoopers (aka average web users) at bay. At the very least, they can't just type in random plain-text usernames to see if they get lucky.

    If you want more than this super-basic method, then you'll need to follow the links in the other replies.
[reply]
      How's the encryption done? Is it through Javascript, which is done at the client end?
[reply]
        That's a bit of a nebulous question, but the encryption/encoding I was thinking of is all done in Perl, before it gets to the client.
[reply]
Re: Secure way of passing variables between forms
by planetscape (Chancellor) on Dec 28, 2005 at 12:12 UTC

    I wonder if a look at this might help...

    planetscape
[reply]

Back to Seekers of Perl Wisdom