Hello, I am a new Perl Monk and have a brief question concerning security.

I have devised a fairly simple yet I believe very robust security system for acessing a limited access part of website and would like an assement.

I have written an HTML file with a Javascript in it that will be used to gain access to the limited access part of the website.

In this HTML file is two scripts the 1st script contacts the server and the server sends a random chracter string to the client side javascript. The second script concatenates the random string with a second secret string embedded in the HTML file and then SHA1 hashes this into a new string. See http://pajhome.org.uk/crypt/md5/sha1src.html The script sets this string as a cookie and effectively this new string then becomes the session id for the user and the user can proceed to access the limited part of the website for one session. One the server side, the server has a copy of the secret code that the cleint will be using and of course knows the random string it just generated. The server (which is of course mod_perl) will then SHA1 hash the secret code and its randomly generated string to see if the session id is valid. In addition to this is after the challenge, hash, and authentication is completed a password is asked for.

I know this in fact a virtual duplicate of CHAP login method just used in a different way, but I wanted to know if there are any obvious security threats I missed.

For anyone wondering: The HTML file will kept on the client computer and the secret code will be a 192 hex string. The reason I am not just using password security is that I am doing this for a client who has trouble remembering passwords so he keeps his passwords simple. THis security feature prevents random guessing machines from nailing his password. If someone tries to contact the limited part of the site and does not have a valid session id then the server will simply respond with a 404 page not found error -- this will fend off most robots and people for that matter.

2003-04-28 edit ybiC: format with (evidently intended) paragraphs, urlify link

In reply to Security and JavaScript by rlgarris682

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.