Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password protected areas.

Status
Not open for further replies.
blitzer

blitzer

Programmer
Joined
Jun 18, 2001
Messages
34
Location
CA
On my website I have password protected pages. I've found that the easiest way to allow my members to surf through these pages without having to login on every page is to have them login once, and then they can navigate the site with buttons which have a <input type=hidden name=password value=&quot;password&quot;> variable to them.

I know this sounds awkward but it works fine for what I do. What I'm worried about is security. All of the major sites that I go to which have password protected pages seem to be using a cookie to store the password because when I view the source, my password can never be found.

Is this the more secure method of storing a password or do all of the major sites just use it for convenience? If cookies are more secure, if you could post a link to a tutorial on how to write cookies for passwords or something along those lines I'd appreciate it.

thanks,
blitzer
 
Sort by date Sort by votes
Think Sessions. I can't give a whole lot of detail as I use Sessions in ASP, however, there has to be an equivalent in Perl.

Sessions are user specific, meaning, once they close the browser, they have to login again. If they send a link to someone while logged in, it can't be viewed. Anyone visting that link will get the login page, etc. They are nice, but get a little tricky. &quot;It's easier to ask forgiveness than it is to get permission.&quot; - Rear Admiral Dr. Grace Hopper
 
Upvote 0 Downvote
Using cookies is only slightly more secure than a hidden field..... some more but not much more. If you want a significant improvement in securing your communications, I think you would have to go to something like Secure Socket Layers. I have never played with the SSL stuff, so I can't help. But, unless your passing sensitive personal information back and forth, I think the cookies would do what you want.

If you go the cookie route, the cookie would keep track of your users id. When they log in, if they supply a valid user/passwd pair, then you generate a unique temporary user id and send it to the browser in a cookie. Each time a page is requested, you parse the cookie, check the id, and you know wether or not this is a valid user. The persistence of the cookie can be controlled with the 'expire' attribute.

You could do the same exact thing with a hidden field. A difference is that the hidden field will not expire in the browser. A cookie can be set to expire when the browser is closed.

HTH


keep the rudder amid ship and beware the odd typo
 
Upvote 0 Downvote
FYI, the &quot;unique temporary id&quot; that goBoating mentions above is also called a &quot;Session ID&quot;. What he's talking about is pretty much the same thing as bra1niac was saying. Tracy Dryden
tracy@bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Daral
  • Locked
  • Question Question
How to remove password authentication on a Unix server.
Replies
3
Views
444
raggmopp
raggmopp
1DMF
  • Locked
  • Question Question
perl script keeps asking for .htaccess password
Replies
0
Views
161
1DMF
1DMF
New3Perl
  • Locked
  • Question Question
Difficulty With LWP Automated Access to Password Protected WebSite
Replies
13
Views
331
New3Perl
New3Perl
MoshiachNow
  • Locked
  • Question Question
download zip file from password protected URL
Replies
2
Views
124
MoshiachNow
MoshiachNow
bolobaboo
  • Locked
  • Question Question
I am changing password on multiple unix system .
Replies
0
Views
67
bolobaboo
bolobaboo

Part and Inventory Search

Sponsor

Back
Top