Franki wrote:
Frank,Hi Guys,I have to setup an online database of our clients details so they can log in and see all their latest transactions and stuff... I have written most of the app already using perl with CGI::Application and HTML::Template (and of course DBI..) However, one thing concerns me.. session management.. I could use CGI::Session to do the job, (previously, for non secret stuff, I have just set a cookie and used that to validate login.. but cookies are not secure enough for this applicaion.) After much reading and searching, I found it said many times that session management was best done by the web server not the application... can anyone extrapolate on that? Is there a cross platform way of doing it??? something I could move over to one of our other servers.. (maybe even the one IIS box we have..) or should I just use CGI::Session with MySQL lookups to do it??? In the same vein, can .htaccess files be setup to use MySQL tables to validate users??? Any tips would be much appreciated. regards Frank
I've been looking at this a lot lately as well for some of the same reasons and applications. One of the things I'm seeing pop up quite often is the use of .htaccess files for authentication with a bit of encryption for good measure.
You might also include a small routine in your main PERL script to allow for user authentication storing the values in a table which is readable only by authentic users knowing their login. You could then use SSL connection between the CGI and the database for sending the username/password pairs over an unsecure line.
I've been using a variation of this scheme to accomodate lower security needs where authentication is required for access points to an online application and it works out nicely for all involved.
Of course the authentication routines have to be at the forefront of the entire application and nothing else may proceed unless the user is properly authenticated making the PERL program accessible only in a very small part. If there is no "good" value pair stored inside the program, which should be wiped out at session end, then any and all commands passed to the program are outrightly rejected by the program.
Mark
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
