If you do not want the data to be known, then just don't send the data. Instead send a cookie and keep the data on your system. The data in the cookie (which can be as simple as a UUID) will be the key to your cookie-vault where the webserver can retrieve it.

And if you want to avoid eavesdroppers, use a secure protocol such as HTTPS, so third parties cannot even intercept the cookie's content and use it in a replay-attack.

Oh yes, and of course use only session cookies and expire them in any case after a short while of no connections.

Thanks, you got me thinking.

I need to encrypt certain values so that they can't be modified by the recipient of the web-page (such as downloading the page and modifying the hidden values). These values will be used when the page is submitted for server-side processing.

Should I be looking at CGI::Session to store the data? Can the recipient of a web-page manipulate these data for unintended purposes? In order words, can web-form values stored using CGI::Session be reliably used?

Hi,

Yes, you should definitely look into CGI::Session. No the user cannot modify it, if you're not allowing it from the server side code. You can store almost whatever you want, and yes it can be reliably used. For storage you have also several options, file, db, cache, etc.

Regards,

fmerges at irc.freenode.net

You can sort of hide the key from casual eyes, with some code like:

my $password = pack('C*', (0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef));
[download]

#!/usr/bin/perl
use strict;
use warnings;
use Crypt::RC4;
use MIME::Base64;

my $key       = "abcdefghijklm";
my $plaintext = "Hello, World!";
my $encrypted = RC4($key, $plaintext);

my $encoded = encode_base64($encrypted);
my $decoded = decode_base64($encoded);
print "$encoded\n";
print "$decoded\n";
my $decrypted = RC4($key, $decoded);
print "$decrypted\n";
[download]

I like your simple solution using Crypt::RC4. Thanks!