----- Original Message -----
From: Jerry Preeper <preeper@stripped>
Sent: Tuesday, August 10, 1999 4:11 PM
Subject: how to handle username/password in a db
> My questions are:
> I understand I can set like a 60 minute cookie with a unique string
> containing their username and password that can be passed back and forth
> they go through various screens. Is this reasonably reliable or is there
> better method that holds their username and password as they go through
> various screens?
I use an early version of Apache::Session that creates an MD5 session key,
which is then logged to the database and returned to the user as a 'per
browser' expiring cookie.
This way I'm only passing the MD5 key rather than user/pass all the time
(conceivably secure even for non-https).
> Any perl examples of either would be greatly appreciated.
You might read the online chapters (or buy the book) at
> 2) One way encrypting of password vs two way. One thing I'm afraid of is
> that people will invariably lose their password and it would be nice to
> have a routine that they can have it emailed to the email address in the
> database. I'm guessing to do this, however, I would need to use an
> encryption scheme that can be used to encrypt and decrypt. Is this still
> reasonably secure? Or would it be preferable to stick with one-way
> encryption and if someone loses their password, just issue them a new one?
> I'm trying to automate as much as I can.
I'd just issue a new one.
> 3) Overall security. I don't want to put this behind a .htaccess file
> simply to avoid the extra steps. I also want to make sure people who are
> on webtv and things like that won't have problems with stuff like cookies
> either. The data in the file isn't super top secret but I would like to
> maintain a reasonably good level of security. Is there an advantage to
> putting it behind a secure server (https)? Any thoughts or comments would
> be appreciated.
> Thanks again.
> Jerry Preeper
If cookies are an issue, you could use the same MD5 scheme except use a
'mangled uri' scheme where the session key is appended. (See Apache::Session
Advantage of https? :-) comfort, warm fuzzies?