> > 3) Perl-based applications can just use the module and the common key > to decrypt the contents of the cookie to find the authenticated > username. If the cookie is not present redirect to the central > authentication page, passing in the URL to return to after > authentication.
Hmmm... Can I do it securely without using Kerberos? I think so. Looks like if I use https instead of http, people won't be able to steal my (encoded) session information as it is transmitted. And I can also add the IP address to the cookie information. But the cookies file might be readable by other people! If they can steal that file and change the IP address of another machine to yours, they can pretend they are you! I wonder if there is a way out of this... Simon -- Simon (Vsevolod ILyushchenko) [EMAIL PROTECTED] http://www.simonf.com [EMAIL PROTECTED] "A man who feels himself a citizen of the world whose loyalty is to the human race and to life, rather than to any exclusive part of it; a man who loves his country because he loves mankind, and whose judgement is not warped by tribal loyalties." Erich Fromm
