Password scheme/Persistent session...

[krakle]

I'm creating members only service with perl (I will be using mod_perl)
for a busy web site. I need to create a Members Area that is pass
protected.

Originally I wanted to generate a random SID upon logging in and
storing the SID in mySQL and also creating a cookie on the users
computer to 'keep the user logged in'. However, I was told using
cookies may not be a good idea. So the idea of storing the SID in the
URL or hidden inputs arised. I really do not want to do this.

Is there anyways I can implement a password protected members area
with perhaps a persistent session without the use of cookies? Any
implementation ideas? I've seen sites like FaceTheJury.com which
validates a login and they don't have SIDs in the URL or cookies
created for this purpose.

Please don't suggesst .htpasswd it is out of the question being that
it does linear style lookups and I need more control over the
sessions.

 

[James Willmore]

I'm creating members only service with perl (I will be using mod_perl)
for a busy web site. I need to create a Members Area that is pass
protected.

Originally I wanted to generate a random SID upon logging in and storing
the SID in mySQL and also creating a cookie on the users computer to
'keep the user logged in'. However, I was told using cookies may not be
a good idea. So the idea of storing the SID in the URL or hidden inputs
arised. I really do not want to do this.

Is there anyways I can implement a password protected members area with
perhaps a persistent session without the use of cookies? Any
implementation ideas? I've seen sites like FaceTheJury.com which
validates a login and they don't have SIDs in the URL or cookies created
for this purpose.

http://www.stonehenge.com/merlyn/WebTechniques/col61.html

This article gives an overview of using *a* cookie for session management.
The idea is to "tie" the browser to the session, thus giving some
persistence. You could use a cokkie to associate the browser with the
sesion and use a database on the back end to store "stuff" like username
and password for the session's database connection.

Cookies, IMO, are about as secure a method (along with SSL and setting the
cookie to be secure) as you're going to get - short of true TCP connection
(think ssh). Web browsers are a wonderful gift to technology, but they are
one of the biggest headaches as far as security is concerned.

[ ... ]

HTH

--
Jim

Copyright notice: all code written by the author in this post is
released under the GPL. http://www.gnu.org/licenses/gpl.txt
for more information.

a fortune quote ...
Nasrudin walked into a teahouse and declaimed, "The moon is more
useful than the sun." "Why?", he was asked. "Because at night
we need the light more."

 

[krakle]

...which is way off topic for clpm. Why ask that here?

Anno

Because I wanted to know how to maintain state IN perl without
utilizing cookies. It seems like a miscellaneous perl question that
fits right in with comp.lang.perl.misc (note: Comp = Computer. Lang =
Language. Perl = duh!. Misc = Miscellaneous). So, how doesn't a
miscellaneous perl question belong here?

 

[krakle]

I don't see how you can.

You could try posting this question to a CGI newsgroup -or- using Google
to see what others have done.

I guess i'll just use cookies. Thanks though.

 

[krakle]

If you are running apache.
Check .htaccess files and .htpasswd files.

If you completed reading my post you would see that I stated "Please
don't refer me to .htpasswd because...".

You don't need a session. All you need is a password file.

I need a session. .htpasswd does linear style look ups. Users
beginning with 'Z' will take longer to look up than users beginning
with the letter 'A'. It doesn't make sense to have hundreds of
thousands or even 10's of thousands of usernames in a plaintext file.
Imagine how poor performance will be. I also need session control to
be able to set time limits, expire as well as some other general
session tasks. Apaches .htpasswd just isn't enough or performance
driven.

Thank you however.

 

[Uri Guttman]

k> Because I wanted to know how to maintain state IN perl without
k> utilizing cookies. It seems like a miscellaneous perl question that
k> fits right in with comp.lang.perl.misc (note: Comp = Computer. Lang =
k> Language. Perl = duh!. Misc = Miscellaneous). So, how doesn't a
k> miscellaneous perl question belong here?

because you can't do WEB sessions without cookies. and how to do web
sessions is a web problem. perl can implement those sessions but the
problem is inherently not perl specific. now if you have tried various
modules and such and need help with them, ask away.

uri

 

[gnari]

Sherif Zaroubi <[email protected]> wrote in message

I need a session. .htpasswd does linear style look ups. Users
beginning with 'Z' will take longer to look up than users beginning
with the letter 'A'. It doesn't make sense to have hundreds of
thousands or even 10's of thousands of usernames in a plaintext file.
Imagine how poor performance will be. I also need session control to
be able to set time limits, expire as well as some other general
session tasks. Apaches .htpasswd just isn't enough or performance
driven.

did you look at the other apache auth_* modules
like mod_auth_dbm or mod_auth_db ?

these provide much better performance with large user sets.

there are also extentions that allow the use of full-blown DBMS's,
if you need better management of your user database.

gnari

 

[Alan J. Flavell]

krakle ([email protected]) wrote:

: If you completed reading my post you would see that I stated "Please
: don't refer me to .htpasswd because...".

And this is directly relevant to programming in the Perl
language because...?

: > You don't need a session. All you need is a password file.

: I need a session. .htpasswd does linear style look ups.

That makes no kind of sense, but is anyway entirely off-topic for
here.

: Users : beginning with 'Z' will take longer to look up than users
beginning : with the letter 'A'.

Apache has excellent documentation. Apacheweek has articles about
authentication, which are cited in the Apache documentation. Kindly
read them before making such preposterous claims.

: It doesn't make sense to have hundreds of
: thousands or even 10's of thousands of usernames in a plaintext file.

Quite so, but this still has no relevant to the Perl programming
language.

: Imagine how poor performance will be.

Not half as poor a "performance" as asking about Apache configuration
in a Perl programming group, gorblimey...

: I also need session control to
: be able to set time limits,

Actually, you don't "need" sessions for that purpose. They *might* be
useful, but this isn't the place to discuss those details.

I'm not an apache expert, I may be wrong, but I think that apache has
various implementations of security that are functionaly equivalent to
.htpasswd but do not use that specific file.

I'm confident that the documentation reveals this and more!

 

[Malcolm Dew-Jones]

krakle ([email protected]) wrote:
: >
: > > Thank you. However, the whole point to my post was to see if I could
: > > do a session with out cookies...
: >
: >
: > If you are running apache.
: > Check .htaccess files and .htpasswd files.

: If you completed reading my post you would see that I stated "Please
: don't refer me to .htpasswd because...".

: >
: > You don't need a session. All you need is a password file.

: I need a session. .htpasswd does linear style look ups. Users
: beginning with 'Z' will take longer to look up than users beginning
: with the letter 'A'. It doesn't make sense to have hundreds of
: thousands or even 10's of thousands of usernames in a plaintext file.
: Imagine how poor performance will be. I also need session control to
: be able to set time limits, expire as well as some other general
: session tasks. Apaches .htpasswd just isn't enough or performance
: driven.


I'm not an apache expert, I may be wrong, but I think that apache has
various implementations of security that are functionaly equivalent to
..htpasswd but do not use that specific file.

And as long as you trust the server to correctly identify the user, then
everything else, including sesion data and timeouts, can surely be indexed
from the user's id.

But, I guess it's up to you to decide.

 

[Richard Morse]

(e-mail address removed)-berlin.de (Anno Siegel) wrote in message


Because I wanted to know how to maintain state IN perl without
utilizing cookies. It seems like a miscellaneous perl question that
fits right in with comp.lang.perl.misc (note: Comp = Computer. Lang =
Language. Perl = duh!. Misc = Miscellaneous). So, how doesn't a
miscellaneous perl question belong here?

URL rewriting. Include the session ID in the URL, and dynamically
rewrite all urls to include this value, probably in the extra path info
after the script name.

Ricky

 

[Jürgen Exner]

(e-mail address removed)-berlin.de (Anno Siegel) wrote in message


Because I wanted to know how to maintain state IN perl

Well, Perl is a procedural programming language, so yes, it does have
states. As long as you don't exit it will maintain the state of all it's
variables. Well, at least those defined globally. Where is the problem?

without utilizing cookies.

Cookies? Cookies? That doesn't sound like anything related to Perl at all.
Perldoc says:
No documentation for perl FAQ keyword `cookie' found
No documentation for perl function `cookie' found

Wild guess: are you by any chance talking about CGI/web programming/HTML?

It seems like a miscellaneous perl question that
fits right in with comp.lang.perl.misc (note: Comp = Computer. Lang =
Language. Perl = duh!. Misc = Miscellaneous). So, how doesn't a
miscellaneous perl question belong here?

If you are talking about CGI/web programming/HTML, then what makes you think
your question is a perl/Perl question?
If you are not talking about CGI/web programming/HTML then I appolize and
would appreciate any pointer to the Perl documentation that describes Perl
cookies resp. says the a Perl program does not have a state.

jue

 

[Tad McClellan]

So, how doesn't a
miscellaneous perl question belong here?

A miscellaneous Perl question _does_ belong here.

But that isn't the kind of question you asked above.

There is nothing language-specific in your question.

Your question is not about Perl. Your question is about how to
maintain state in CGI applications.

Correctly partitioning the problem is a huge step toward solving
the problem.

First find out if maintaining state without cookies is possible,
if it is, _then_ it is appropriate to turn your attention to how
to implement it in some particular programming language.

 

[krakle]

That makes no kind of sense, but is anyway entirely off-topic for
here.

How doesn't it make sense? Perhaps you don't know what linear is.. And
yes this is off-topic which is why my post WASN'T about .htpasswd.

 

[krakle]

Cookies? Cookies? That doesn't sound like anything related to Perl at all.
Perldoc says:
No documentation for perl FAQ keyword `cookie' found
No documentation for perl function `cookie' found

Which is why my post ISN'T about cookies. You guys seem to chop down
my post to where I said "without cookies" and "dont recomment
..htpasswd" then tell me this newsgroup isn't about cookies or
..htpasswd when my post didn't even include any cookie or .htpasswd
questions... Are you guys morons or something?

The question IS ontopic to this group. Hell if I was to ask "How do
you execute a perl script" i'd prob. be told it's off topic and
redirected to an OS group instead of someone just saying "perl
<script.pl>".

 

[Alan J. Flavell]

How doesn't it make sense?

The fact that you mentioned .htpasswd indicates that you were
considering a method of authentication. Apache supports various
authentication techniques. You haven't shown any cause yet why one of
them would not meet your requirements.

You state, without showing your working, that you "need a session".

If that's truly so, then why were you considering a method of
authentication - which by no means defines a session? So you
in effect contradicted yourself, while bringing in what you claimed to
be a reason ("linear search") that was completely irrelevant to the
contradiction which you had produced.

On the basis of what you've posted so far, I'd say that readers here
are entitled to conclude that you haven't yet reached a proper
decision about what to implement; so it's hard to believe that you're
ready for Perl-specific advice on how to implement it. Of course I
could be wrong - obviously we don't have the full background to your
problem, so folks have to respond on the basis of what you chose to
post.

Perhaps you don't know what linear is..
*giggle*

And yes this is off-topic

Indeed. Which is why I shall try to resist dragging this thread out
further.

which is why my post WASN'T about .htpasswd.

It didn't appear to be about programming in Perl, either, you know.

have fun.

 

[Tad McClellan]

Are you guys morons or something?

Yes we are.

It is useless to post here, so don't.

The question IS ontopic to this group.

No it isn't.

It would be ontopic in a newsgroup with some connection to
web stuff. This is not such a newsgroup.

 

[Malcolm Dew-Jones]

krakle ([email protected]) wrote:
: > > : > You don't need a session. All you need is a password file.
: >
: > > : I need a session. .htpasswd does linear style look ups.
: >
: > That makes no kind of sense, but is anyway entirely off-topic for
: > here.

: How doesn't it make sense? Perhaps you don't know what linear is.. And
: yes this is off-topic which is why my post WASN'T about .htpasswd.

Well for one thing you condradicted yourself elsewhere. You said that
looking up names that start with Z would take longer than names that start
with A (or words to that effect). However, that would only be true if the
data was sorted, which would imply that apache does something smarter with
the data in .htpasswd than simply doing a "linear style look up".

Anyway, with out looking at the source, or doing careful timing of
..htpasswd lookups, I wouldn't see any reason to assume that apache does
linear lookups in the first place. it is just as possible that the files
are (for example) cached in memory in some kind of structure that provides
extremely fast lookup. Unless the .htpasswd file is being constantly
updated, then this could be very efficient, and sounds quite easy to
implement.

 

[John W. Kennedy]

The question IS ontopic to this group.

No, it is not. You are asking a question about how the web works, not
how Perl works. You are in the position of someone who goes to a group
concerned with English grammar to ask "What is the quadratic formula?",
and, when told the question is off-topic, complains, "What's wrong? I
asked the question in English, didn't I?"

 

[krakle]

No, it is not. You are asking a question about how the web works, not
how Perl works.

I never asked how the web works or any sort of question to that
nature. It was a question pertaining to sessions in mod_perl. Yes it
will be used for a web site obviously but it DOESN'T make sense to ask
a PERL question in a regular newsgroup dealing with the web that
doesn't relate to PERL... Why is this so hard for you guys to
understand...

 

[krakle]

Your question is not about Perl. Your question is about how to
maintain state in CGI applications.

Because mod_perl IS CGI? Actually buddy, mod_perl ISN'T CGI...