I'll try to answer your questions one at a time.
Firstly, MD5 and the old crypt methods of encryption are both one-way.
If you lose your password you cannot get it back. If one of my users
lose their passwords, I simply generate a new one for them. Provided
your system is totally secure, you could store the passwords as
plain-text. It is up to you to decide if your box is safe enough. Both
of mine are behind a decent firewall but I still concider them unsafe.
I have two main systems, both of which use crypt for the passwords. In
the 1st system I store user details in a table and have users log in
using a form. In the second I use .htaccess and store the passwords in
a file. There are no real benefits of one over the other, and it's
purely a case of which you prefer.
The only main difference is that with the htaccess system, the server
supplies you with the user ID at every request, while witht the form
based one, you need to maintain some sort of session data.
I do this by having a session table in my database, and storing the key
as a hidden field in the subsequent forms, or as part of the URL after
the '?'.
Next, the problem of having the perl script protected only some of the
time. This sounds like you're using one perl script for two functions.
This is generally not a good idea for maintenance and legibility. I
would therefore split this up into two seperate scripts. If they have
large amounts of common code, you could split those off into a module
and call it from both scripts.
If you really want to keep it as one script, then put it in the
unprotected cgi-bin directory, and then create a link to it in the
protected directory.
Hope this helps,
Gary
On Friday 04 May 2001 11:10 am, Sawsan Sarandah wrote:
> > Greetings,
>
> I am trying to determine the best method for creating a secure
> members' only area of a website. The public area of the site displays
> data retrieved from mysql tables. The private area will allow members
> to update their own data within those tables. I found plenty of
> documentation on the net regarding the implementation of secure files
> and subdirectories using apache's .htaccess file. My problem is that
> I only want to restrict the functionality of certain parts of a perl
> script, not a subdirectory or file. I want to be able to do this by
> requesting a username and password in html format, not a popup menu.
> I am also looking into MD5 encryption in order to pass the encrypted
> value through cgi from one request to another until the user is done.
> From what I can see, MD5 only uses one-way encryption. For example, I
> want to know if I can safely store the username and password in a
> standard mysql table? Should they be stored in encrypted format? If
> so, how would I be able to send a user their password if they forgot
> it when the password is encrypted and MD5 cannot retrieve it? I have
> full root access to my own Linux server (RH7) and am using apache
> with open SSL enabled. The cgi-bin for https requests is in a
> different subdirectory. I am wondering if I should pass requests to a
> new perl script located in the SSL cgi-bin once the user has been
> authenticated or if it is secure enough to stay in the non-secure
> cgi-bin. The data itself is not that sensitive. I just don't want
> other people to break in and change it around.
>
> Basically, I want to know how I should approach this problem and if
> there are any online resources that can get me thinking.
>
> Any help is appreciated. Thanks.
>
> Ibrahim Dawud
--
Gary Stainburn
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
