cgi-session-user

[Cgi-session-user] Password (or lack of one) Storage Question

[Justin S. <ju...@sk...>]

Thought this may have been asked before, but the archives say  
nothing :) Anyways, in the CGI::Session::Tutorial it states:

	# First rule of thumb, do not store users' passwords or other  
sensitive data in the session, please.
	If you have to, use one-way encryption, such as md5, or SHA-1-1. For  
my own experience I can assure
	you that in properly implemented session-powered Web applications  
there is never a need for it.

	Source: http://search.cpan.org/~markstos/CGI-Session-4.14/lib/CGI/ 
Session/Tutorial.pm#STORAGE

I am in total agreement with this statement, but! how do you check  
the credentials of the user, if there isn't some sort of credentials  
in the session file? I thought this would be one the most Frequently  
Asked Question.

My guess is, that before you issue a session, you first check the  
credentials of the person and if they check out, you issue the  
session, with the correct bits in there to allow the individual to  
use your webapp. Since you've checked the credentials once, checking  
a saved username/password pair again and again from the same session  
information is redundant and a security risk, since some sort of  
credentials, however encrypted are in the session itself.

Is this the basic jist of the situation, or is there more?

Currently, my webapp *does* store an encrypted password, but the  
password can be decrypted using a shared key - so if you have access  
to the session file, you'll also most likely have access to this  
shared key (which is located in a different physical place - NOT in  
the session file, but still easy enough to find, if you look hard  
enough). This scenario is like it is, because the actual password is  
stored in an encrypted form via crypt(). Safe to say, I'd like to  
close up this little (big) security hole in my webapp, but I don't  
want to open another hole somewhere else.

Thanks for all guidance, you've all been a great help to me,

Justin Simoni
-- 
:: is an eccentric artist, living and working in Denver, Colorado
:: URL: http://justinsimoni.com
:: Mailing List - http://justinsimoni.com/mailing_list.html

Re: [Cgi-session-user] Password (or lack of one) Storage Question

[Mark S. <ma...@su...>]

Justin Simoni wrote:
> Thought this may have been asked before, but the archives say  
> nothing :) Anyways, in the CGI::Session::Tutorial it states:
> 
> 	# First rule of thumb, do not store users' passwords or other  
> sensitive data in the session, please.
> 	If you have to, use one-way encryption, such as md5, or SHA-1-1. For  
> my own experience I can assure
> 	you that in properly implemented session-powered Web applications  
> there is never a need for it.
> 
> 	Source: http://search.cpan.org/~markstos/CGI-Session-4.14/lib/CGI/ 
> Session/Tutorial.pm#STORAGE
> 
> I am in total agreement with this statement, but! how do you check  
> the credentials of the user, if there isn't some sort of credentials  
> in the session file? I thought this would be one the most Frequently  
> Asked Question.
> 
> My guess is, that before you issue a session, you first check the  
> credentials of the person and if they check out, you issue the  
> session, with the correct bits in there to allow the individual to  
> use your webapp. Since you've checked the credentials once, checking  
> a saved username/password pair again and again from the same session  
> information is redundant and a security risk, since some sort of  
> credentials, however encrypted are in the session itself.
> 
> Is this the basic jist of the situation, or is there more?

That's basically it.

I usually store the name/pass in a "users" table, and check them at 
login time, at which point "is_logged_in" gets added to the session.

After that I simply check "is_logged_in".

	Mark

Re: [Cgi-session-user] Password (or lack of one) Storage Question

[root <ro...@s1...>]

On Tue, Aug 15, 2006 at 09:33:54AM -0400, Mark Stosberg wrote:

> I usually store the name/pass in a "users" table, and check them at 
> login time, at which point "is_logged_in" gets added to the session.
> 
> After that I simply check "is_logged_in".
> 

I  used the same method as Mark does, in addition I set the value of "is_logged_in" 
to the PRIMARY KEY collumn of the user. This helps me not just ensure the user is
authenticated, but also the ID of the user, which can be used to load 
his details, if need  be (to greet him, may be, but read on)

Although I like keeping sessions open for longer time, to ensure the privacy of the
users I set an expiration to the 'is_logged_in' session parameter, from 5 to 30 minutes
(depending on the sensitivity of the profile data). This allows me
to still be able to greet the users with their first name even after weeks 
(by storing the user's name in the session object), or display their recently viewed
pages, or keep their shopping cart data, but force them to re-identify themselves
when it comes to accessing their sensitive profile information.


Good luck.

Sherzod Ruzmetov