On Thursday, April 25, 2002, at 11:57 AM, Mat Harrison wrote:
> what about some clever person (such as the people on this list) faking the > cookie? now, you are talking about the general issue of authorization. a fake cookie would have to know a valid user id. this might not to be too difficult to find. That is why i use an encrypted value of the password in a cookie for checking against. That would be a little harder to find out unless a hacker had access to a valid user's cookies. There is only so much you can do. Makes it hard to fake, but not impossible. There is no absolute guarantee. > -----Original Message----- > From: bob ackerman [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 7:26 PM > To: [EMAIL PROTECTED] > Subject: Re: authentication and user management > > > > On Thursday, April 25, 2002, at 10:58 AM, Mat Harrison wrote: > >> i am building a perl/cookie members system for my site using SSI to check >> if >> a cookie is present (set at login), if not, to redirect to an error page. >> This is my plan: >> >> >> 1. login page. check that the username and password match that in the >> database. >> 2. if yes then set a cookie with the users's ID from the database >> 3. when the restricted page is called then the script attempts to >> retrieve >> the cookie. >> >> How do i say if ($cookievalue eq "" || cookie does not exist){ >> redirect to an error page >> } >> >> I know how to retrieve a cookie and redirect but how do i get the script >> to >> tell the difference between an incorrect cookie value (one that doesn't >> match any IDs in the database) and no cookie at all. > > when you ask for a cookie for a given key, if it doesn't exist it will be > empty. > as in code above. I don't think you want to worry about the cookie > existing with an empty value. > That wouldn't be a valid login. > Then if the cookie exists, you could do a db query to make sure the id is > actually in the database. > >> If anyone can suggest anything about the cookies or any tips on this >> subject >> in general please help >> >> Thanks in Advance >> >> -- >> Matthew Harrison >> Webmaster >> www.genestate.com >> [EMAIL PROTECTED] > > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
