List:General Discussion« Previous MessageNext Message »
From:Jerry Preeper Date:August 10 1999 9:11pm
Subject:how to handle username/password in a db
View as plain text  
Hi All,

I was wondering how others might be handling the allowing of access to a
perl script using a database that includes usernames and passwords.  

For example, I am working on a project where I have a perl program that
will allow people to add to and edit listings in a list table.  Each
listing has a user id attached to it (users may have multiple listings) and
there is a separate table for all these people that would include their
contact info, their username and password.  These are not people that would
be in the mysql privileges table - it's a web based thing.  

What I want to be able to do is to have a login screen that they enter
their username and password, which then determines what they are allowed to
do.  For example, they would only be able to edit certain items in existing
records that they are the user id on and add new records (which would still
need to be approved by an administrator).  An administrator (who would also
have a login) would be able to do lots of other things in the db.  There is
a field in the database that determines what level the person is when they
log in based upon their username/password.

My questions are: 

1) Should I use cookies to track their session or is there a better method?
  I understand I can set like a 60 minute cookie with a unique string
containing their username and password that can be passed back and forth as
they go through various screens.  Is this reasonably reliable or is there a
better method that holds their username and password as they go through
various screens?  

Any perl examples of either would be greatly appreciated.

2) One way encrypting of password vs two way.  One thing I'm afraid of is
that people will invariably lose their password and it would be nice to
have a routine that they can have it emailed to the email address in the
database.  I'm guessing to do this, however, I would need to use an
encryption scheme that can be used to encrypt and decrypt.  Is this still
reasonably secure?  Or would it be preferable to stick with one-way
encryption and if someone loses their password, just issue them a new one?
I'm trying to automate as much as I can.

3) Overall security.  I don't want to put this behind a .htaccess file
simply to avoid the extra steps.  I also want to make sure people who are
on webtv and things like that won't have problems with stuff like cookies
either.  The data in the file isn't super top secret but I would like to
maintain a reasonably good level of security.   Is there an advantage to
putting it behind a secure server (https)?  Any thoughts or comments would
be appreciated.

Thanks again.

Jerry Preeper



Thread
how to handle username/password in a dbJerry Preeper10 Aug
  • Re: how to handle username/password in a dbDaevid Vincent10 Aug
    • Re: how to handle username/password in a dbJerry Preeper11 Aug
      • Re: how to handle username/password in a dbJules Bean11 Aug
  • Re: how to handle username/password in a dbJay J11 Aug
  • Re: how to handle username/password in a dbAlex Heiphetz11 Aug