I would run everything inside of a Secure Socket Layer (SSL) Win32 and/or use some
type of algorithm to encrypt the data between scripts. I would look into Digest::MD5,
it's a 128 bit one way hash algorithm. Go to CPAN for more info. Could be an idea to
get you started.
GL,
Mark Bergeron'
-----Original Message-----
From: "Grierson, Garry (UK07)"<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tue Sep 18 03:22:17 PDT 2001
Subject: Security Suggestions Please!
>I have to secure a newly developed web search service that deals with
>sensitive fiscal information, this originally consisted of Perl scripts that
>called html pages or other scripts. The default page ran a rudimentary login
>script that launched a variety of html pages or further scripts, the html
>pages in turn also ran scripts, one page also runs an IDC search.
>
>To disallow direct access to the html I have 'moved' this inside the
>appropriate Perl scripts so a valid password displays the html page and an
>invalid password returns you to the login script. The password is passed
>between the scripts using the post method so it won't show up on the URL
>bar.
>
>I have two questions.
>
>1) What benefits if any are there from checking the entered passwords
>against a file or database table as opposed to having a valid password or
>list of passwords held within the initial validation script?
> The password will be changed regularly and the server is unlikely to be
>changed to displaying the script text be mistake is unlikely.
>
>2) What if any dangers are inherent in passing the password between the
>scripts to verify the users access?
> This is an Intranet site so the only sniffers should be people with
>colds!
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
. . . . .__ . ,
|\/| _.._.;_/ _.._ _| [__)._.* _| _ _ -+-
| |(_][ | \ (_][ )(_] [__)[ |(_](_](/, |
._|
___________________________________________________
GO.com Mail
Get Your Free, Private E-mail at http://mail.go.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]