I would run everything inside of a Secure Socket Layer (SSL) Win32 and/or use some 
type of algorithm to encrypt the data between scripts. I would look into Digest::MD5, 
it's a 128 bit one way hash algorithm. Go to CPAN for more info. Could be an idea to 
get you started.

GL,
Mark Bergeron'

-----Original Message-----
From: "Grierson, Garry (UK07)"<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tue Sep 18 03:22:17 PDT 2001
Subject: Security Suggestions Please!

>I have to secure a newly developed web search service that deals with
>sensitive fiscal information, this originally consisted of Perl scripts that
>called html pages or other scripts. The default page ran a rudimentary login
>script that launched a variety of html pages or further scripts, the html
>pages in turn also ran scripts, one page also runs an IDC search. 
>
>To disallow direct access to the html I have 'moved' this inside the
>appropriate Perl scripts so a valid password displays the html page and an
>invalid password returns you to the login script. The password is passed
>between the scripts using the post method so it won't show up on the URL
>bar.
>
>I have two questions.
>
>1)  What benefits if any are there from checking the entered passwords
>against a file or database table as opposed to having a valid password or
>list of passwords held within the initial validation script?
>     The password will be changed regularly and the server is unlikely to be
>changed to displaying the script text be mistake is unlikely.
>
>2)  What if any dangers are inherent in passing the password between the
>scripts to verify the users access?
>      This is an Intranet site so the only sniffers should be people with
>colds!
>
>-- 
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>

.  .      .            .  .__       .       , 
|\/| _.._.;_/   _.._  _|  [__)._.* _| _  _ -+-
|  |(_][  | \  (_][ )(_]  [__)[  |(_](_](/, | 
                                     ._|
___________________________________________________
GO.com Mail                                    
Get Your Free, Private E-mail at http://mail.go.com



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to