Website authorization – my solution

Wednesday 11 November 2009 @ 6:37 am

I wrote about wondering how to make “login” to a dynamic website in Perl. The best solution advised by http://perldesignpatterns.com/?WebAuthentication was to make a temporary token: “cookie with an authorization token. Store the token in the database along with an expiration time separate of the cookie. The token should be random generated and completely seperate from the password but handed out when the password is validated. This is the best case;”, but it was overshot for now, so I settled up for this scheme:

Whan user registers, his password is stored as md5 digest in database. Salt is generated – string of eight random letters, numbers etc.I use Crypt::PasswdMD5 qw(unix_md5_crypt);

When user logs in, password is checked-  crypted using crypted pass from database as salt:

if ( $cryptedpassword eq unix_md5_crypt($password, $cryptedpassword)) {

and if it is ok, cookie is stored with user ID and crypted password.

The cookie is then checked on every page, whether it contains the crypted password from database.

Well, this is my idea of doing it for now, already implemented, I feel a bit unease about that – what is the point of crypting password and storing it crypted, as it really matters whether the pass from cookie is equal to pass in database – it could be not crypted and it would work the same way.

The only advantage is that the password is not stored in cookie – but it is not needed, as just the digest is needed to pretend to be logged in.

What do you think?


Comments (4) - Posted in cpan,work by  




Warning: Creating default object from empty value in /home3/lech/public_html/baczynski.com/perl/wp-includes/comment-template.php on line 1056

 4 responses to “Website authorization – my solution”

Leave a comment