Need help with PERL and cookies.

exiztone

Hi,
I'm looking for some guides/tutorials to help me make something that will deal with cookies and user sessions in a PERL script.
You know, to work around a forum system.
Like being able to make a cookie, store an encrypted password and read it into the forum each time the page is executed. Hence you're always logged in, until the cookie is deleted.
I'm a bit confused by this though.
Because it wouldn't make sense to have the password encrypted locally would it? But then it also seems unsafe to an extent.

Anyway, as you can see I'm not too familiar with the whole concept so some advice would be greatly appreciated too!

Cheers
- Tim

mneylon

Why don't you download one of the existing Perl forums and look at the source?

seamus

Yep, it makes sense to have the password encrypted locally.

Now, I'm a little drunk, but afaik, PHP takes some bits from Perl. Anyway, the way boards.ie works - a cookie stores your username and your password, encrypted md5.

When you sign up for vBulletin, it takes your password, encrypts it md5, and stores that value in the database- it never stores your actual password.. This leaves security in the hands of the connection - the last fortress.

So when you request a page, the script looks at the cookie, takes the md5 value and compares it to that in the DB. Same for logging on.

A user session is a little different, if a little more secure (striclty IMO). It only stores all data until the user closes their browser(or passes on the URL)

If you don't understand, I"ll try clarify when I'm sober

exiztone

Originally posted by seamus

So when you request a page, the script looks at the cookie, takes the md5 value and compares it to that in the DB. Same for logging on.

So the password stored in the cookie, is encrypted the same as the password stored in the database?
Isn't that a bit of security risk in the sense that you do enough of those and you could work out their encryption technique?

seamus

Originally posted by exiztone
So the password stored in the cookie, is encrypted the same as the password stored in the database?
Isn't that a bit of security risk in the sense that you do enough of those and you could work out their encryption technique?

No, md5 is one-way, in theory. Afaik, it's the same encryption as used in a basic Linux login.

Forums are never expected to be über safe tho, but you do the best you can.

PHP had a function

md5("string")

Which md5 encrypts any string, but I'm not sure if Perl has something similar. PHP was written for such applications

Zaltais

Haven't really read the full extent of the responses to your post, (it's late and I'm too lazy right now), so sorry if someone's covered some of this already.

The two modules you want are CGI::Cookie and CGI::Session

CGI::Cookie is included in the standard distribution (as part pf the CGI module) but CGI::Session is not AFAIK.

Take a look on CPAN for documentation for these two modules.

Basically what you want to do (IMO) is to have a user login / password database. When a user logs in successfully issue them with a session ID, then store the session ID in a cookie. When a user hits a page you can simply read the session from the paramaters passed in the url, or from the cookie if no session ID is passed in the URL.

Naturally if you want a user to be persistiently logged in then you simply need to set the expiration date on the session (and by reference it's corresponding cookie) 6 months or a year from it's last activity date.

<edit>If you wanna go down the MD5 route see CPAN for the Digest::MD5 module</edit>