Request for help with naming module

Tue, 10 Jul 2001 14:00:47 -0700 


I have written a module that supports login authentication for CGI
apps.  It has the following main operations:

Register a new user
Log in
Change password
Change user profile
Forgot my password

I have written a few CGI scripts that show how to use it, and they are
included in the package.

It uses DBI to store the password information, and HTML::Template (in
those CGI scripts) to display the screens.

When you log in, the module generates a cookie which includes an MD5
hash of various information that identifies that you logged in.
Included in the cookie hash is the username and IP address of the
user.

The password is stored in the database as the MD5 hash - no plaintext
version is ever used.  When you select "Forgot my password", it asks
you the challenge question which you entered at registration, and you
must respond with the appropriate answer.  This answer is checked
against the one in the database - MD5 hash again - and if correct, it
generates a URL containing a random string which is sent to the user's
e-mail.  When the user follows that URL, they can enter a new
password.  Once they do, the URL will no longer work.  Can anyone see
any security holes in that system?  It seems foolproof to me.

It also has the ability to configure what fields you want to use for
the user profile/registration forms.  You can add address, favorite
color, or whatever.  The database table will be created with these
fields.

So, what to call this?  I've been calling it WWW::UserDB, but that's
kind of lame.  It's not necessarily CGI:: because it might be used in
Apache mod_perl, and vice-versa.  It's not necessarily HTML:: because
it might be used with WML apps.  In fact, it doesn't even have to be
used on the web at all, though the cookie aspect would be useless if
it weren't.  Once I have a name for it, I can upload it to CPAN.

--Bill.

-- 
William R Ward            [EMAIL PROTECTED]          http://www.wards.net/~bill/
                    (formerly known as [EMAIL PROTECTED])
-----------------------------------------------------------------------------
                   Life is too important to take seriously.

Reply via email to