On Wednesday, October 15, 2003, at 02:49 AM, David Christensen wrote:
>> 1.) Establish an SSL connection
>> 2.) Require the user to indentify himself (username and password)
>> 3.) Check against some kind of user database
>> 4.) Create a unique session ID number which can not easily guessed
>> by others
>> 5.) Store the ID on the users machine (cookie) or send it as part
>> of the HTTP request ("foo.bar.org/myscript?SID=a3cc69...")
> As I thought.
> Question: are the HTTP requests (with CGI fields and values, including
> session_id) encrypted when using https?
>> I use CGI:Session in combination with HTML::Template and they
>> cooperate well. Nicest feature is that you can redisplay pages filled
>> with session data with a few lines of code (e.g. if you want a user to
>> correct input made earlier in the session).
> Good. I've been able to get CGI::Application, HTML::Template, and
> CGI::FormBuilder working together, but it took careful reading of the
> documents, a fair amount of thinking, and a bit of experimentation.
I just got done creating a framework for a secure application (well,
not so secure because I don't use https... more like a "personalized
weak security" application). I used CGI-Session. Very nicely done
application. I wish CGI-Session had a driver for my favorite dsn,
SQLite, but hopefully that will arrive eventually (CGI-Session author
provides instructions on creating ones own driver, but such things are
beyond me as I am mortal). Most personalized/security applications
depend on the "server," and as such, would work better with
Apache+mod_perl, but even with plain Apache the mileage is pretty good.