Website authorization – my solution
Wednesday 11 November 2009 @ 6:37 am

I wrote about wondering how to make “login” to a dynamic website in Perl. The best solution advised by http://perldesignpatterns.com/?WebAuthentication was to make a temporary token: “cookie with an authorization token. Store the token in the database along with an expiration time separate of the cookie. The token should be random generated and completely seperate from the password but handed out when the password is validated. This is the best case;”, but it was overshot for now, so I settled up for this scheme:

Whan user registers, his password is stored as md5 digest in database. Salt is generated – string of eight random letters, numbers etc.I use Crypt::PasswdMD5 qw(unix_md5_crypt);

When user logs in, password is checked-  crypted using crypted pass from database as salt:

if ( $cryptedpassword eq unix_md5_crypt($password, $cryptedpassword)) {

and if it is ok, cookie is stored with user ID and crypted password.

The cookie is then checked on every page, whether it contains the crypted password from database.

Well, this is my idea of doing it for now, already implemented, I feel a bit unease about that – what is the point of crypting password and storing it crypted, as it really matters whether the pass from cookie is equal to pass in database – it could be not crypted and it would work the same way.

The only advantage is that the password is not stored in cookie – but it is not needed, as just the digest is needed to pretend to be logged in.

What do you think?

Comments (4) - Posted in cpan,work by  



Website login with Perl
Tuesday 27 October 2009 @ 6:55 am

Lately I was thinking about implementing logging (as in login/password) into a website with Perl. I mean, that I want to have a dynamic website, where users can login using login and password and do some stuff.

After googling for “how to make login site” mostly PHP session solutions came up. When I added “perl” to that google query, half of results was about logging into someone’s website (wget, LWP, WWW::Mechanize etc) and not making a login feature in existing dynamic website. Search for “perl authentication” found more relevant stuff.

Some pages suggested using .htaccess. Bleh. Beside, I want to have user in a SQL database.

One result pointed to CGI::Session on cpan. Nice. CGI::Session::Auth – nice too 🙂 There is also Apache::Session to be found on cpan.

There was also a hint, to find a perl web forum script and see how it is done there. We’ll, I did it with one forum script, and found that user login and crypted password is stored in a cookie. Nice.

There also books that talk about how to do web authentication: Perl for Web Site Management or CGI programming with Perl

Here we have some design patterns: http://perldesignpatterns.com/?WebAuthentication and also: http://perldesignpatterns.com/?SessionPattern and http://perldesignpatterns.com/?PerlDesignPatterns . Even nicer 🙂

But I still look for ultimate “how to” with examples about authorizing users (register, login, remind password etc.)  into some kind of dynamic website with Perl. Any hints?

Comments (1) - Posted in work by