in reply to Using crypt for 'reasonably' secure session management w/DB

Your session ID should just be a random number (I use a UUID from Data::UUID for it) which is the key to the session data in the DB. There is thus no need to encrypt the session ID. It does not make your site more secure.

I see two possible "points of failure":

  1. Can a user access your database and "steal" a valid session ID? (this is solved by limiting access to your database to only your web-server / CGI-scripts)
  2. Can anyone intercept the data between the client's browser and your web-server and thus obtain a valid session ID? (this is solved by using HTTPS rather than HTTP as your protocol).

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

  • Comment on Re: Using crypt for 'reasonably' secure session management w/DB

In Section Seekers of Perl Wisdom