Secure cookies and SSL

[yourkeylady]

Does anyone know of a good tutorial on the use of Cookies and SSL. I'm having trouble with a script not placing the cookie. I'm wondering if it's because the server name is different from the url it's being posted from.

Thanks
Tricia

 

[yourkeylady]

I'm posting a session cookie that has a random number in it and the user name. But when I go from https to http the server name changes and it won't post the cookie. So I would like to come up with a different method for cookies.

I have Flash Professional and what I thought of is putting an invisible client side program that always uses https and constantly (every 120 seconds) checks the server for the login at the same url. If the correct info isn't found it redirects browser window.

The scripts with http must be sent the last recorded information for that user to open the script. This would be done with javascript to add the session number to the link or hidden input tag.

If a malicious user tries to open a page using the cookie information the intrusion is imediately detected when comparing their IP adddresses and another static variable in the flash program. Then the user is warned with a pop up that another user is viewing their page and an email is sent to administration.



Thanks
Tricia

 

[TrojanWarBlade]

Tricia,

How are you creating the cookies? Perl? CGI?

Can you post some sample code?


Trojan.

 

[yourkeylady]

$cookie = new CGI::Cookie(
                    -name  => 'CID',
                    -value => "$random|$pkg::user",
                    -domain => $pkg::server
                );
             

print $pkg::q->header( -cookie => $cookie );

if (open( COOKIE,">$pkg::cgiroot/clients/pkg::path/admin/login/pkg::type/$pkg::user.txt"))
{
     print COOKIE $random;
     close(COOKIE);
print qq{
<SCRIPT type="text/javascript">
alert(" Welcome $pkg::user");
document.location.href="[URL unfurl="true"]http://$host/cgi-bin/clients/$pkg::path/$pkg::script";[/URL]
</SCRIPT>
};
} else {
$insert2 = qq{
There has been an error setting this session.  Please try to login again.
};

Thanks
Tricia

 

[TrojanWarBlade]

What about creating 2 cookies for the price of one?
Every time you update or create a cookie for the http server, also create/update one for the https server.

I've not tried this so your milage may vary but it's a thought.

Trojan.

 

[TrojanWarBlade]

From the CGI man page:

2. a domain
This is a partial or complete domain name for which the cookie is
valid. The browser will return the cookie to any host that matches
the partial domain name. For example, if you specify a domain name
of ".capricorn.com", then the browser will return the cookie to Web
servers running on any of the machines "

http://www.capricorn.com",

"

http://www2.capricorn.com",

"feckless.capricorn.com", etc. Domain names
must contain at least two periods to prevent attempts to match on
top level domains like ".edu". If no domain is specified, then the
browser will only return the cookie to servers on the host the
cookie originated from.

Trojan

 

[yourkeylady]

That would be an option except my SSL server has a sub directory for the shared domains. So my domain isn't in the server name. And only part of it is in the subdirectory name.

Thanks
Tricia

 

[yourkeylady]

Also I would like to be notified if my site is being hacked or viewed and the only way it seems to do that is with a client side app that constantly checks the login information.

Thanks
Tricia

 

[TrojanWarBlade]

Well this may be a silly question, but why are you asking about a flash, client side app in a Perl forum?

Trojan.

 

[yourkeylady]

I didn't think of the flash solution till after I has started the thread.

Thanks
Tricia

 

[TrojanWarBlade]

Ok, no probs.

If you still want to look at a perl solution, maybe you might want to post some example url's for your http and your https servers so that we can see exactly what is causing your problems.


Trojan.

 

[yourkeylady]

I'm afraid to post here because this is where alot of hackers hang out.

Thanks
Tricia

 

[PaulTEG]

Tricia,
could this be the problem

if (open( COOKIE,">$pkg::cgiroot/clients/[COLOR=red]$[/color]pkg::path/admin/login/[COLOR=red]$[/color]pkg::type/$pkg::user.txt"))

HTH
--Paul

cigless ...

 

[PaulTEG]

I'm afraid to post here because this is where alot of hackers hang out.

Thanks
Tricia

Might I be so bold as to ask where this assumption was drawn from. BTW Hacker is a term that doesn't have the "Dark Side" attached to it, I believe the term is "cracker", or at least it was last week ;-)

Many Perl programmers refer to themselves as YAPH (Yet Another Perl Hacker), it's a term of endearment, of sorts

--Paul



cigless ...

 

[yourkeylady]

I'm sorry, I meant cracker. My program is only in construction at this point, it's not cracker tested.

Thanks
Tricia

 

[TrojanWarBlade]

I was not suggesting that you post a real URL, just something to give us an example of what is causing your problems.

We always recommend that people do not post sensitive code such as URL's or particularly usernames and passwords.

If you feel wary then you're always best to not post and we will all understand that concern.




Trojan.