Re: [Cgi-session-user] Password (or lack of one) Storage Question
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] Password (or lack of one) Storage Question
|
From: Mark S. <ma...@su...> - 2006-08-15 13:35:17
|
Justin Simoni wrote: > Thought this may have been asked before, but the archives say > nothing :) Anyways, in the CGI::Session::Tutorial it states: > > # First rule of thumb, do not store users' passwords or other > sensitive data in the session, please. > If you have to, use one-way encryption, such as md5, or SHA-1-1. For > my own experience I can assure > you that in properly implemented session-powered Web applications > there is never a need for it. > > Source: http://search.cpan.org/~markstos/CGI-Session-4.14/lib/CGI/ > Session/Tutorial.pm#STORAGE > > I am in total agreement with this statement, but! how do you check > the credentials of the user, if there isn't some sort of credentials > in the session file? I thought this would be one the most Frequently > Asked Question. > > My guess is, that before you issue a session, you first check the > credentials of the person and if they check out, you issue the > session, with the correct bits in there to allow the individual to > use your webapp. Since you've checked the credentials once, checking > a saved username/password pair again and again from the same session > information is redundant and a security risk, since some sort of > credentials, however encrypted are in the session itself. > > Is this the basic jist of the situation, or is there more? That's basically it. I usually store the name/pass in a "users" table, and check them at login time, at which point "is_logged_in" gets added to the session. After that I simply check "is_logged_in". Mark |
