Hi Monks! I'm trying to make a simple authentication script which would render (or not) some html pages depending on whethet user is logged. I use CGI::Session mechanism for this, please see the code: This is index.pl: 
#I've not posted use directives, HTML::Template variables declarations
+ and et ceterea, because it doesn't actually matter in this case.

if (!$cookie{CGISESSID}{value}[0]) { #checkif there is a session cooki
+e in user's browser.
    print "Content-Type: text/html\n\n";
    print $auth->output; # render form which would require enter login
+ and password.
    } else {
#        render secret page

[download]
and here is auth.pl: 
#!/usr/bin/perl

use CGI;
use HTML::Template;
use CGI::Cookie;
use strict;
use CGI::Session;
use lib ('../');
use MySite;

my $q = new CGI;
my %params = MySite::get_params($q);

my $login = "vu";
my $password = "Stella744";

my $t = HTML::Template->new(filename => '../templates/auth_success.tmp
+l');
my $t_err = HTML::Template->new(filename => '../templates/Auth_error.t
+mpl');

if ($ENV{REQUEST_METHOD} ne 'POST') {
    print "Content-type: text/html\n\n";
    print "Sorry. Don't do this.";
    } else {
        if (($params{login} eq $login) and ($params{password} eq $pass
+word)) {
            my $session = CGI::Session->new() or die CGI::Session->err
+str;
            my $cookie = $q->cookie( -name => $session->name, -value =
+> $session->id );
            #print "Set-Cookie: $cookie\n";
            print $session->header(-charset => 'utf-8');
            print "Content-type: text/html\n\n", $t->output;
            } else {
                print "Content-type: text/html\n\n", $t_err->output;
        }
        
    }

[download]
It actually works, but one issue is worrying me: the cookie named CGISESSID (which is session cookie) is checked just for is's existence, so theoretically one can open cookie file and write some random symbols to the CGISESSID's value - and script will actually render secret page! How to avoid this situation?

In reply to CGI::Session and simple authentication by Kyshtynbai

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.