Possibly, although if you use https to access the page, I thought the htaccess password is transmitted in the http header and so is not encrypted in the data section. Anyway, I'm sure something good will come around in the next release. Thanks. --mark--
On Mon, 11 Nov 2002, Sergio A. Kessler wrote: > Date: Mon, 11 Nov 2002 17:14:17 -0300 > From: Sergio A. Kessler <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: [SL] Re: maintaining sessions securely > > > > mark, this issue has been bitten to death... > > anyway, IMO, using http authentication is a LOT > more simple... > (should not take more than five lines of perl) > > -- > :: Sergio A. Kessler :: > Linux user #64005 - http://counter.li.org > > ----- Original Message ----- > From: "Mark Hedges" <[EMAIL PROTECTED]> > > > > > > > > If the encrypted password can be read by the web server from > > users/members, and the encrypted password is the string used to > > authenticate in the get/post requests, it seems like there is no > > real security provided by the encryption, because the encrypted > > string is used as the secret, rather than the unencrypted > > password... and it isn't very secret. > > > > To be useful, it seems like the unencrypted password should be > > used to login, and then a one-time session-id hash should be > > generated to maintain authenticity for a single session in the > > get/post requests. Access via command line should require an > > initial login with the actual secret password to obtain the > > session-id hash which is good for a limited time and corresponds > > to an IP address. This way an eavesdropper cannot simply pull > > the encrypted password string from the members file to use for > > access. They would have to know the actual password, which is > > the point of the encryption. > > > > Apache::Session and CGI::Session are mature CPAN packages that > > can handle this in a secure way. > > >
