Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Aug 2012
    Location
    Lincoln, England
    Posts
    2
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Is this simple cgi Login secure?

    In anticipation, thank you.

    Q: How secure is this cookie

    Background:
    For some years ago I've been working with private customer pages that are covered with a simple login device (1).

    It calls off this cgi (2).

    Each customer account page includes this cookie in each folder's index.php file (3).

    I now wonder how secure is this arrangement.

    Is it secure?

    Thanks for looking ...

    1) login.php includes this form:
    Code:
    <form id="ID" action="http://domainname.com/cgi-bin/login.cgi" method="post" name="theForm">
    Account reference  <input name="password" title="login" onfocus="formInUse = true;">  
    <input type="submit" value="login">
    </form>
    2) /cgi-bin/ login.cgi

    Code:
    #!/usr/bin/perl
    use strict;
    use CGI::Cookie;
    use CGI qw(:standard);
    
    my %urlList = ("password1" => "http://domainname.com/folder1/",
    		"password2" => "http://domainname.com/folder2/",
    		"password3" => "http://domainname.com/folder3/",
    		"password4" => "http://domainname.com/folder4/",
    		"end" => ""              );
    
    my $invalidurl = "http://domainname.com/folder/oops.php";
    
    my $password = param ('password');
     
    my $q = new CGI;
    if (exists($urlList{$password})) {
    
      my $validurl = $urlList{$password};
      my $cookie = $q->cookie(-name => "validpassword", -value => "0", -path => "/");
      print $q->redirect (-url =>$validurl, -cookie => $cookie);
    }
    else {
    
      print $q->redirect (-url =>$invalidurl);
    }

    3) each .php or .htm file in separate folders
    Code:
    <script type="text/javascript">
    <!--
    function getCookieValue (cookieName) {
      var exp = new RegExp (cookieName + "=([^;]+)");
      if (exp.test (document.cookie + ";")) {
        exp.exec (document.cookie + ";");
        return unescape(RegExp.$1);
      }
      else return false
    }
    
    var invalidpassword  = "domainname.com/oops.php";
    if (!getCookieValue ("validpassword")) {
      location.replace (invalidpassword);
    }
    else {
    
      var myCookie = getCookieValue ("password");
    
      if (myCookie != "0") {location.replace (myCookie);}
    }
    //-->
    </script>
    Thanks for looking

  • #2
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,873
    Thanks
    2
    Thanked 164 Times in 159 Posts
    I would need to run a few test to see how secure it is, but it doesn't look secure to me and I certainly would not ever consider using it.

    1) The input field should be set to type='password'

    2) You should be using https to transmit the login info over a secure SSL channel

    3) The passwords should be encrypted and stored in a database. The user supplied password is then encrypted and compared with the stored password.

    4) You should be using server side sessions to maintain state, part of which is a "login" token that gets set based on success or failure of the login.

    5) The cookie data should be stored on the server as part of the session data, not as part a client side cookie.

    6) The session ID is the only thing that should be in the cookie that the client receives.

    See: CGI::Session

  • Users who have thanked FishMonger for this post:

    rschroder (08-01-2012)

  • #3
    New to the CF scene
    Join Date
    Aug 2012
    Location
    Lincoln, England
    Posts
    2
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by FishMonger View Post
    The CGI/Session is most useful and I have taken on board all your remarks.

    Thank you for taking the time for such detail.

    Will construct something else and, in a day or so, re-post a variant.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •