List:General Discussion« Previous MessageNext Message »
From:Jay J Date:August 10 1999 10:55pm
Subject:Re: how to handle username/password in a db
View as plain text  
----- Original Message -----
From: Jerry Preeper <preeper@stripped>
To: <mysql@stripped>
Sent: Tuesday, August 10, 1999 4:11 PM
Subject: how to handle username/password in a db


[snip]
> My questions are:
>
> 1) Should I use cookies to track their session or is there a better
method?
>   I understand I can set like a 60 minute cookie with a unique string
> containing their username and password that can be passed back and forth
as
> they go through various screens.  Is this reasonably reliable or is there
a
> better method that holds their username and password as they go through
> various screens?

I use an early version of Apache::Session that creates an MD5 session key,
which is then logged to the database and returned to the user as a 'per
browser' expiring cookie.

This way I'm only passing the MD5 key rather than user/pass all the time
(conceivably secure even for non-https).

> Any perl examples of either would be greatly appreciated.

You might read the online chapters (or buy the book) at
http://modperl.apache.org

> 2) One way encrypting of password vs two way.  One thing I'm afraid of is
> that people will invariably lose their password and it would be nice to
> have a routine that they can have it emailed to the email address in the
> database.  I'm guessing to do this, however, I would need to use an
> encryption scheme that can be used to encrypt and decrypt.  Is this still
> reasonably secure?  Or would it be preferable to stick with one-way
> encryption and if someone loses their password, just issue them a new one?
> I'm trying to automate as much as I can.

I'd just issue a new one.

> 3) Overall security.  I don't want to put this behind a .htaccess file
> simply to avoid the extra steps.  I also want to make sure people who are
> on webtv and things like that won't have problems with stuff like cookies
> either.  The data in the file isn't super top secret but I would like to
> maintain a reasonably good level of security.   Is there an advantage to
> putting it behind a secure server (https)?  Any thoughts or comments would
> be appreciated.
> Thanks again.
>
> Jerry Preeper

If cookies are an issue, you could use the same MD5 scheme except use a
'mangled uri' scheme where the session key is appended. (See Apache::Session
for details).

Advantage of https? :-) comfort, warm fuzzies?

 -Jay J
Thread
how to handle username/password in a dbJerry Preeper10 Aug
  • Re: how to handle username/password in a dbDaevid Vincent10 Aug
    • Re: how to handle username/password in a dbJerry Preeper11 Aug
      • Re: how to handle username/password in a dbJules Bean11 Aug
  • Re: how to handle username/password in a dbJay J11 Aug
  • Re: how to handle username/password in a dbAlex Heiphetz11 Aug