mark, this issue has been bitten to death...
anyway, IMO, using http authentication is a LOT more simple... (should not take more than five lines of perl) -- :: Sergio A. Kessler :: Linux user #64005 - http://counter.li.org ----- Original Message ----- From: "Mark Hedges" <[EMAIL PROTECTED]> > > > If the encrypted password can be read by the web server from > users/members, and the encrypted password is the string used to > authenticate in the get/post requests, it seems like there is no > real security provided by the encryption, because the encrypted > string is used as the secret, rather than the unencrypted > password... and it isn't very secret. > > To be useful, it seems like the unencrypted password should be > used to login, and then a one-time session-id hash should be > generated to maintain authenticity for a single session in the > get/post requests. Access via command line should require an > initial login with the actual secret password to obtain the > session-id hash which is good for a limited time and corresponds > to an IP address. This way an eavesdropper cannot simply pull > the encrypted password string from the members file to use for > access. They would have to know the actual password, which is > the point of the encryption. > > Apache::Session and CGI::Session are mature CPAN packages that > can handle this in a secure way.
