Re: Implementing security in CGI

[Differentiated Software Solutions Pvt. Ltd.]

Hi,

My question is much more basic than that. I wanted to validate my design
ideas on a programmatic security.
I would like somebody to go through the following and tell me that I'm on
the right track.

The idea I had was, at the time of login, I generate the session id which I
write to the cookie.
I have also tied to this session_id the user's login profile.
Every other screen checks for the cookie's existence and reads back the
session_id and gets the user's profile. I hope I'm right till then.
When the user signs out then we can delete the tied file.
Now any person who has access to the same browser will still have to login
to get to the inner pages.

If the browser is killed without sign-out from the system, even then there's
no problem.
Next person who gets access to the browser and tries to access any inner
page will not be able to, because the cookie with the session-id does not
exist.

Am I right ??? Please help.

Thanks,

Murali

-----Original Message-----
From: Gunther Birznieks <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: 19 April 2000 18:44
Subject: Re: Implementing security in CGI


>Apache::Session could be useful. But the session key that is generated is
>arguable not necessarily the most secure that it could be. But it is pretty
>good.
>
>I'm probably opening up a can of worms by saying this.
>
>The MD5 hash itself is relatively secure as hashes go (although SHA hash
>space could be better). But you are relying on underlying system variables
>to determine what is put into MD5 hashing in the first place -- and this
>data is not necessarily the most random-- process ID, time, memory address
>of the created hash, etc... Are a bit deterministic. rand() might be good
>if it is on a system that plugs natively into a good entropy generator on
>that machine.
>
>To get a better key, you probably end up spending more time pulling
>relatively random data sources together so key generation itself would be
>slow-- a computational tradeoff. Depends on how "secure" you really want to
>be. For most situations,  Apache::Session's key generator will work fine.
>
>It also depends how long you intend the sessions to be active. Will they
>become a "token" that is used in lieu of authentication once the user has
>entered a username and password or issued a digital client certificate to
>your web site? Or will it be used after the user registers for a month+ to
>allow them to get back into your site without remember a password.
>
>-- Gunther
>
>At 01:34 PM 4/19/00 +0530, Differentiated Software Solutions Pvt. Ltd.
wrote:
>>Hi,
>>
>>We are having a site which is programmed with perl/CGI.
>>To enter the site we have a login and password.
>>After which some reports are displayed.
>>
>>I know that using cookies it is possible to secure the site.
>>Can somebody guide me on how to design and implement a cookie based
>>security. Sites and books on same will be greatly appreciated.
>>
>>Would Apache::Session be useful for this ??
>>
>>Thanks for the help,
>>
>>Murali
>>
>>Differentiated Software Solutions Pvt. Ltd.,
>>176, Gr. Floor, 6th Main
>>2nd Block RT Nagar
>>Bangalore - 560 032
>>India
>>Ph: 91 80 3431470
>>email : diffs+AEA-vsnl.com
>>http://www.diffs-india.com
>>
>>Differentiated Software Solutions Pvt. Ltd.,
>>176, Gr. Floor, 6th Main
>>2nd Block RT Nagar
>>Bangalore - 560 032
>>India
>>Ph: 91 80 3431470
>>email : diffs+AEA-vsnl.com
>>http://www.diffs-india.com
>
>__________________________________________________
>Gunther Birznieks ([EMAIL PROTECTED])
>Extropia - The Web Technology Company
>http://www.extropia.com/