Ok, after reading the document posted earlier, I believe that I wasn't that far off. Here's what I got wrong: 1.> Using IP address verification. 2.> Not creating "un-guessable" session_keys (they were just base64).
Note: The present system already maintains all sensitive data server-side, and every session expires (server-side) after 20 (configurable) minutes. All client-side data is stored in cookies and currently consists of only the username and session_id. However, I have a slight problem: I can't really assume that the customer has anything installed other than CGI and CGI::Cookie. I also can't assume that the customer even has access to a compiler which rules out any XS modules, which means no MD5 or SHA-1. This script may very well be used on hosted accounts or even homepages. So here's the last question: If I use crypt() with a 2-byte private key that is generated at install-time, and perhaps even regenerated daily (first session after 0:00h?), how secure is that? Why does the posted document suggests passing plain-text along with the encrypted key? Is this any better/worse than without plain-text? (my plan would be to change the current "creation_time + ip_addr" of my session_key to "expiration_time + user_name") Thanks again in advance for any suggestions, Grant M.
