I know what you are talking about because I ran into that problem myself now that I'm re-designing my website

The way that I worked it out is your first idea, although I'm not using logged in users.. so I have some comments about that:

• For security reasons try to avoid the fields inside the html pages, although it is hidden.. but people can see it... so you might not want to include secure information there. and unless all your navigation is done using buttons to POST the form, your links will contain all the data as GET strings.
• I think that the best way to do this is to use cookies; but then again you will have to make all your users enable cookies in their browsers, but I think that it is a more "secure" (?) way for it, so your users can specify if they want to stay always logged in, or not.
• You can insert the right SSI now using information provided by the client cookie.

This might not be perfect, but I thought I'd share my idea.

the method I have used a number of times for security handling is a combination of cookies and password/identifiers. It is not by any means industrial strength protection...

• User logs in via CGI validation
• if validated, CGI encrypts secret info, stores encrypted string in cookie, also save other non-scure stuff in clear unencrypted cookies, like an ID.
• every time user hits site, CGI nabs id and encrypted cookie, uses ID to get secret info (local source, user flat file, database, whatever), encrypts secret info (using same salt used in first encryption). compares new encrypted string against cookie version.
• if two encrypted strings match, user is allowed in, else bounce to login screen

SSL would make all of the above much safer as the initial login would not be in the clear.

good luck!

My upcoming WebTechniques column (not yet in print, so not in the website) talks about "branding" a particular browser with a cookie, and then associating that cookie with a user for a time-limited period of time, with the association maintained server-side so there was no chance of spoofing the server. It's actually quite simple with File::Cache. Took about 40 lines of code. Maybe I'll post it as a snippet.

-- Randal L. Schwartz, Perl hacker

The way that almost all commercial-grade application servers do it is to create a unique string (e.g., based on a call to crypt() of a combination of the return value from time() and the user's IP address) and associate it with the user by an entry in, say, the session table in the database.

Then that session string is attached either via a CGI parameter or a cookie. Forcing users to accept cookies is so common these days that you really won't lose traffic by storing the session information in a cookie.

Since there is no private information stored in the session string, it really doesn't matter whether you use CGI parameters or cookies.

Certainly avoid at all costs putting user information such as user name or password in CGI parameters. It's about as flagrant a security hole as there is. Might as well just put all the user names and passwords on the login page for reference.

Hope this helps,

-Me