ok.. this isn't really relavant to many Links SQL users.. but Alex.. You know the username cookie.. is there any chance you encrypt that?

I'm beginning to notice places that have personalized pages actually save it as an encrypted cookie.. not plain text because if you left it plain text you can easily alter the username and when you go to a personalized page, you get the other users data.. (to the kinds of sites that don't really care if you login for data that won't matter if you don't "login" with a password)

i made two subs to encode/decode numbers for a Links 2.0 mod (MyLinks) and it made the four digit plus numbers like two characters long.. and by adding more characters to the hash it can get shorter.. but i didn't want to go through converting letters

like i said.. it doesn't apply to all.. but I have no clue what the best way to encode/decode a string is.. if you used hex a bunch of "people" will figure it out in two minutes..

jerry

Hi,

I don't see the problem? The security is based on the session id, not on the username. Storing the username in a cookie is purely for convienance so that when they return to the login form, you can prefill out the username.

To authenticate a user, always use the session id as in:

my $user = &authenticate ($in->param('s') | | $in->cookie('s'));

Look at how maintain.cgi does it. The only way to get someone else's data is by guessing the session id, a very difficult task.

Or am I just missing something? =)

Cheers,

Alex

alex..

well.. this is from my experience at stocksite.com

the main thing is that they store a cookie that lasts LONGER than the regular cookie with just your USERNAME in it.. for security they encrypt it as well..

reason why?

cause when you return to their site.. they will display YOUR stocks on the main page with a bunch of other things all personalized to you.. if you left the cookie un encrypted.. someone can change the username.. for example to the admin and see what they have..

this is not an example of a "Links" thing.. but may be useful if people want mods for like personalized homepages.. and CONTENT..

jerry

This is what I'm hoping to do... allow persistant cookies, so that returning users will be able to see their 'personalized page' on log on, but if they need to, they can always log-in/log-out

I'm still working on minor technical stuff, before I tackle the big stuff (and have had a family crisis this week that has and is taking up a good deal of my time).

Security is important, but so is convenience. Perhaps, a personalized page can be shown with the "username" stored, but in order to effect any changes, or to go anywhere, the user will have to log in. That way they are welcomed in, but are assured they still have security by having to validate again.

Ah, well personally, if I wanted people to be able to automatically login, I would store both a username and a password as a cookie and then use both those info to look the user up.

You then of course need to add the ability to remove these cookies easily, as not all people will want them saved.

Cheers,

alex

it's not like an automatic login.. if you go to epinions.com you will notice that they keep a cookie that knows who you are.. to edit anything you have to login first and if you are inactive for 10 minutes your session ends..

but if you go back.. everything is still personalized to you cause of the Username cookie (which is encrypted)..

jerry