spatterson has asked for the wisdom of the Perl Monks concerning the following question:

I'm building a website that's open to anyone for viewing and that only authorised users can modify, using the following pseudocode for handling logins.

Have I left any obvious holes? 

login
    - read username & password, check against database
      - if they're correct
        - create pseudo-random session ID
        - store session ID on database
        - return session ID in cookie
        - cookie lasts 1 hour
        - session ID on database lasts 1 hour (script for removal?)
    - else user is not logged in, gets view privs only

checking login - to be done before any admin action
    - read session from cookie
    - if session exists on database, user is logged in, gets admin
      privs
    - else user is not logged in, gets view privs only
      - try to delete cookie

logout
    - delete database session
    - try to delete cookie

[download]
just another cpan module author

Replies are listed 'Best First'.
Re: Cookie login (pseudocode)
by merlyn (Sage) on Feb 20, 2008 at 11:52 UTC
[reply]
Re: Cookie login (pseudocode)
by moritz (Cardinal) on Feb 20, 2008 at 11:51 UTC
    It looks fine to me.

    Note that CGI::Session can do much of that work for you, for example session storage and expiration.

[reply]
Re: Cookie login (pseudocode)
by Cody Pendant (Prior) on Feb 20, 2008 at 12:32 UTC
    I've seen applications which re-check the password at your "checking login" stage, presumably on the assumption that users might log in at one computer, forget to log out and leave it vulnerable, like in an internet café?

    Logging in somewhere else and changing the password kills the first session.


    Nobody says perl looks like line-noise any more
    kids today don't know what line-noise IS ...
[reply]
Re: Cookie login (pseudocode)
by DBAugie (Beadle) on Feb 20, 2008 at 12:49 UTC
    Be sure to include some kind of exception handling so that difficulties updating the user row (updating the session_id to either the session_id value or resetting it back to null) doesn't leave your application in pieces on the floor or wide open.

    Constrain what will be accepted as userid/password combinations so that someone cannot add a bit of sql to the end of the login string and read your whole user base.

    I'm not a big fan of storing userid/password combinations in the clear, but that's up to you. (I'm also not an expert on encryption or obfuscation, or else I'd offer some technique to avoid that)

    Good luck

[reply]
      Constrain what will be accepted as userid/password combinations so that someone cannot add a bit of sql to the end of the login string and read your whole user base.

      No! Use place holders in the first place, then you don't even have to sanitize the user input for DB operations.

[reply]
        Moritz, Please elaborate on the use of place holders for this purpose. I have a similar need, and I'm not sure what you are recommending here. Thanks, --Akoya.
[reply]
      Re: storing passwords in cleartext

      In the past, i've used javascript to hash the password client-side, and compare it to the hashed passwords stored in the database.

      The hashed password is still sent in the clear (and someone eavesdropping can still use it to log in), but no cleartext passwords are revealed to the eavesdropper or someone who has gained entry to the db.

      While it doesn't do much for the security of your application, it will prevent an attacker from trying a password on another system (e.g. to access your e-mail or banking information)

[reply]
Re: Cookie login (pseudocode)
by Anonymous Monk on Feb 20, 2008 at 11:53 UTC
[reply]
Re: Cookie login (pseudocode)
by gwhite (Friar) on Feb 20, 2008 at 18:39 UTC

    as a user works on the site their expiration time should be updated to now + 1hr, as you have stated it, at 61 minutes I will have to login again. It should be after an hour of not making changes.

    g_White
[reply]

Back to Seekers of Perl Wisdom