in reply to login page

Please reconsider your strategy and assumed specs. You are supposed to be protecting valid user accounts from unauthorized access. If unauthorized hackers happen to guess a valid user name, but fail to guess the correct password, you should not encourage further attempts by telling them, in effect, "OK, you got a usable username, now you just need to get the password."

(Surely you wouldn't consider saying something like "the password was not 6 characters as expected and had the wrong character in the third and fifth positions..." -- the more information you provide, the more you jeopardize your own security.)

If either the user name or password is incorrect, you should just be responding with "Invalid login attempt, please try again." Don't say anything more about what, in particular, was invalid. If either or both fields are empty, you can say "You need to fill in both user name and password." That's it.

So you really have only two distinct responses to worry about, and the different conditions to trigger one vs. the other should be pretty simple to work out.

Replies are listed 'Best First'.
Re^2: login page
by mikeB (Friar) on Dec 19, 2006 at 15:28 UTC
    Along the same lines, it's a bit of a security risk to store cleartext passwords in the database. Better to store a hash or encrypted version of the password. Check out the MD5 and Crypt:: family of modules on CPAN. You might also want to consider letting the database do the matching work with something along the lines of: 
    my $user_info = $dbh->selectrow_hashref(q/
   select <some fields> 
   from users 
   where id = ? and password = ?
/,undef, $id, $password);

if (defined $user_info) {
   # valid user
} else {
   # handle a bad one here
}

[reply]





In Section
Seekers of Perl Wisdom