Please see my questions in line! Thanks!

>> In addition my client anticipates storing this extremely sensitive data
>> using Microsoft Access on his site which is largely implemented in Perl
CGI.
>> 
>> 
>Microsoft Access does not scale.  Consider using SQL Server if it must
>be MS, or investigate the open source databases like PostgreSQL and
>MySQL if cost is an issue.  Stray away from using Access for anything
>production as its meant to be a simple DB.  It will burn them.  Most of
>my current job is converting all the Access DB's floating around to our
>Oracle DB, while the MIS department is figuring out ways to make sure
>Access will not run on anyone's computers :)
>

I have explained the performance problems with Microsoft Access many times
to my customer and he does not listen. (This is because it is not a problem
with only he and I prototyping the site). What you describe is a performance
issue, not a security issue. It sounds like MSAccess is just as secure as
those other databases, correct?

>> Finally, what about using cookies for authentication and authorization?
>> Assuming his clients are amenable to turning cookies on, I believe the
>> favorite algorithm is to generate a random number when we prompt for a
>> password and (assuming the user enters a valid username and password)
store
>> this number both in the cookie on the browser and in the database. The
>> browser always presents this number to the Perl CGI code and we look up
the
>> number in the database to find the username and bump a counter in our
>> database everytime the user requests an evaluation.
>> 
>
>More than just a random number in most cases.  Usually double md5sum of
>the epoch bitwise or'd or appended with the process id number, ip
>address, or user id or a combination of thereof might work.
>

Do you have a reference where I could read up on this? 

Thanks,
    Siegfried


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>


Reply via email to