[Cgi-session-user] Password (or lack of one) Storage Question
Brought to you by:
sherzodr
Menu
▾
▴
[Cgi-session-user] Password (or lack of one) Storage Question
|
From: Justin S. <ju...@sk...> - 2006-08-15 05:52:11
|
Thought this may have been asked before, but the archives say nothing :) Anyways, in the CGI::Session::Tutorial it states: # First rule of thumb, do not store users' passwords or other sensitive data in the session, please. If you have to, use one-way encryption, such as md5, or SHA-1-1. For my own experience I can assure you that in properly implemented session-powered Web applications there is never a need for it. Source: http://search.cpan.org/~markstos/CGI-Session-4.14/lib/CGI/ Session/Tutorial.pm#STORAGE I am in total agreement with this statement, but! how do you check the credentials of the user, if there isn't some sort of credentials in the session file? I thought this would be one the most Frequently Asked Question. My guess is, that before you issue a session, you first check the credentials of the person and if they check out, you issue the session, with the correct bits in there to allow the individual to use your webapp. Since you've checked the credentials once, checking a saved username/password pair again and again from the same session information is redundant and a security risk, since some sort of credentials, however encrypted are in the session itself. Is this the basic jist of the situation, or is there more? Currently, my webapp *does* store an encrypted password, but the password can be decrypted using a shared key - so if you have access to the session file, you'll also most likely have access to this shared key (which is located in a different physical place - NOT in the session file, but still easy enough to find, if you look hard enough). This scenario is like it is, because the actual password is stored in an encrypted form via crypt(). Safe to say, I'd like to close up this little (big) security hole in my webapp, but I don't want to open another hole somewhere else. Thanks for all guidance, you've all been a great help to me, Justin Simoni -- :: is an eccentric artist, living and working in Denver, Colorado :: URL: http://justinsimoni.com :: Mailing List - http://justinsimoni.com/mailing_list.html |
