Re: Implementing security in CGI

Wed, 19 Apr 2000 02:47:45 -0700 

Apache::Session could be useful. But the session key that is generated is 
arguable not necessarily the most secure that it could be. But it is pretty 
good.

I'm probably opening up a can of worms by saying this.

The MD5 hash itself is relatively secure as hashes go (although SHA hash 
space could be better). But you are relying on underlying system variables 
to determine what is put into MD5 hashing in the first place -- and this 
data is not necessarily the most random-- process ID, time, memory address 
of the created hash, etc... Are a bit deterministic. rand() might be good 
if it is on a system that plugs natively into a good entropy generator on 
that machine.

To get a better key, you probably end up spending more time pulling 
relatively random data sources together so key generation itself would be 
slow-- a computational tradeoff. Depends on how "secure" you really want to 
be. For most situations,  Apache::Session's key generator will work fine.

It also depends how long you intend the sessions to be active. Will they 
become a "token" that is used in lieu of authentication once the user has 
entered a username and password or issued a digital client certificate to 
your web site? Or will it be used after the user registers for a month+ to 
allow them to get back into your site without remember a password.

-- Gunther

At 01:34 PM 4/19/00 +0530, Differentiated Software Solutions Pvt. Ltd. wrote:
>Hi,
>
>We are having a site which is programmed with perl/CGI.
>To enter the site we have a login and password.
>After which some reports are displayed.
>
>I know that using cookies it is possible to secure the site.
>Can somebody guide me on how to design and implement a cookie based
>security. Sites and books on same will be greatly appreciated.
>
>Would Apache::Session be useful for this ??
>
>Thanks for the help,
>
>Murali
>
>Differentiated Software Solutions Pvt. Ltd.,
>176, Gr. Floor, 6th Main
>2nd Block RT Nagar
>Bangalore - 560 032
>India
>Ph: 91 80 3431470
>email : diffs+AEA-vsnl.com
>http://www.diffs-india.com
>
>Differentiated Software Solutions Pvt. Ltd.,
>176, Gr. Floor, 6th Main
>2nd Block RT Nagar
>Bangalore - 560 032
>India
>Ph: 91 80 3431470
>email : diffs+AEA-vsnl.com
>http://www.diffs-india.com

__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
Extropia - The Web Technology Company
http://www.extropia.com/

Reply via email to