how are you all
i am basically a system admin,new in perl/cgi world also mine first post on this forum.
these are my cookies based cgi scripts tell me if these are secure or not.

login.cgi
-----------------
#!/usr/bin/perl
use CGI qw(:all);

$q = new CGI;
$username=$q->param('name');
$password=$q->param('pass');

if ( length($username) < 2 || length($password) < 2 ) {
perror();
}

elsif( ($username eq "admin") && ($password eq "yahoo") ) {
$cookie1=cookie(-name => 'user', -value => $username);
print redirect(-uri => 'http://www.blah.com/main2.cgi',
-cookie => $cookie1);
}


elsif( ($username eq "everyone") && ($password eq "everyone") ) {
$cookie1=cookie(-name => 'user', -value => $username);
print redirect(-uri => 'http://www.blah.com/main.cgi',
-cookie => $cookie1);
}

else {
perror();
}
---------------------------------

now main2.cgi which is reserved for admins use. i am maintaing security on cookies like this.

#!/usr/bin/perl

use CGI qw(:all);
$q = new CGI;

if ( defined cookie('user') ) {

$username=cookie('user');

if ($username eq "admin") {
page();
}
else {
print $q->redirect('http://www.blah.com/index.html');
}

}


else {
print $q->redirect('http://www.blah.com/index.html');
}


------------------------------------


now please tell me,
1. is it possible to change http header by any one and set cookie value???

also please guide me on setting up secure cookies.
any links will be helpfull.


thanks a lot for reading.

regards
usman

I usually just use "cookie.lib" or the standard "use CGI" method.

These are really not considered secure, but I don't use them on
any sites that require that security. I do usually always have the
expiration date set to "null", so the cookies expire when the
browser closes.

The problem with cookies is that they are sent to the user's PC.
Anything sent can be grabbed by sniffing software.

The most secure way is to use encryption, sessions, and https.

There are many good modules that handle these things. Whether
or not your server utilizes the modules, you'd have to check with
the webhost you use.

Here's a lot of good information on this via Google:
http://www.google.com/search?q=perl+cookie+security&btnG=Search

With your example, if you use HTTP, I could essentially have a
background program running on the user's PC that makes a copy
of every cookie that is received. Even if the cookie expires, I would
always know the cookie name and values. The security issue actually
falls upon the PC where the cookie is stored.

Notice on this site ... the emphasis is always on using special modules
installed on the server to handle cookies, encryption.
http://bfr.caseywest.com/archives/003065.html



.