[cgiapp] Safe way to remember user login?
Hi All, I know a lot of sites have a check box for remember me or what not. But I'm trying to figure out a safe way to do this. Saving the username and password in cookies wouldn't be secure, so I guess some kind of cookie ID. But then once you display the login form you'd be writing out the password into the input type=password value=, which isn't secure either as someone could view source and grab it. I'm guessing this kind of thing has come up for a lot of people on this list, care to share a solution? Lyle # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
Lyle wrote: I know a lot of sites have a check box for remember me or what not. But I'm trying to figure out a safe way to do this. For me, the safest way to do it is to let the browser remember. All the major browsers know how to remember usernames and passwords now a days, so why duplicate that feature. Saving the username and password in cookies wouldn't be secure, so I guess some kind of cookie ID. Storing an encrypted username and pw would be ok. But then once you display the login form you'd be writing out the password into the input type=password value=, which isn't secure either as someone could view source and grab it. You're right that if someone checked remember me on a public computer then someone else could come by later and recover the username and password of the last person to do that. But that's the risk that happens when people tell public computers to remember their private information. -- Michael Peters Plus Three, LP # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
The way I've accomplished this is by adding something like an md5key column to the users database. When someone checks the remember me button you can generate a key based on something like, their username / password / the current date + some salt (or whatever you like). Then store that key in the database table and pass a copy back to the user as a cookie with a expiration of 1 week (or however long you'd like). Now, of course if someone gets a hold of that cookie information they will be able to log in. So for a little added security you might want to setup a second field in the user database beside the md5key field that contains a valid until date. That way, when you check the cookie md5key vs the database md5key, you check first that they match (if not you have a problem right off the bat). If they do match and the current date is not passed the md5key expiry date then you let the person into the system, otherwise, kick them back to the login screen. --- Steve Comrie Lyle wrote: Hi All, I know a lot of sites have a check box for remember me or what not. But I'm trying to figure out a safe way to do this. Saving the username and password in cookies wouldn't be secure, so I guess some kind of cookie ID. But then once you display the login form you'd be writing out the password into the input type=password value=, which isn't secure either as someone could view source and grab it. I'm guessing this kind of thing has come up for a lot of people on this list, care to share a solution? Lyle # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## #### # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
On Tue, Jan 13, 2009 at 5:41 PM, Lyle webmas...@cosmicperl.com wrote: People wrote: (various comments) I think you're right, I shouldn't worry and just let the browser handle it. I might make it remember the username by default for convenience if they choose to enter their password each time. I don't understand the remember me thing. If you use a cookie with a session key, and maintain on the server side that the user wants to be remembered, why even display the login page to them? Just treat them as already logged in, and let them into your site? That's what's going to happen anyway if you fill in the userID and password for them. It seems to me like what's really happening here is someone wanting to not be logged off for 2 weeks. Making them go through the login page with their credentials supplied for them, that's just making it harder to remain logged in for 2 weeks. (?) Maybe I don't get it. Mark # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
[cgiapp] a CGI::Application::Dispatch problem
hi all, directory /cgi-bin/test/ has two files , test_ca.pm and test_ca.cgi code #test_ca.pm package test_ca; use strict; use warnings; use Data::Dumper; use base 'CGI::Application'; sub setup { my $self = shift; $self-mode_param('rm'); $self-start_mode('showform'); $self-run_modes([qw/do1 do2 do3/]); } sub cgiapp_postrun { my $self = shift; $self-header_add( -charset = 'gbk' ); } sub do1 { return 'htmlbodypdo1/p/body/html'; } #test_ca.cgi use base 'CGI::Application::Dispatch'; CGI::Application::Dispatch-dispatch( prefix = '', table = [ ':app/:rm' = { }, ], # debug = 1, ); /code now i visit the url http://mywebsite/cgi-bin/test/test_ca.cgi/test_ca/do1 ,and browser returned 404 not found. this is my first time to use CGI::Application::Dispatch moudle, and i need your help. 2009-01-14 ximiff # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####