Secure Logoff

[hunter13605]

I have a logoff on my perl file but if somebody else was to go to the history or hit the back button it just lets them back into the account. Is there any way to stop this? I am using really simple code so i'm not too hopefull. You can view the page at

http://www.match.nnysitedesigns.net/

 

[tchatzi]

How are we suppose to see the script if we go to your site?
And even if we could there is no name and id provided to logon at the first place.
Next time you will need some help try posting some code instead of useless web addresses.


``The wise man doesn't give the right answers,
he poses the right questions.''
TIMTOWTDI

 

[hunter13605]

There isn't any code. It just gets a login and pin. Then when the user clicks logoff it takes them to the home page and tells them to close the window. What i want to know is if there is a more secure way to do this. The computers at school re-image themselves every time somebody logs off so its not a problem there but if somebody does it from home then it could cause a problem.

 

[Kirsle]

Use server-side session cookies. When a user logs in, create a session for them and give them a cookie that corresponds to the session (just so they can tell the server which session is theirs). Better yet, make it a temporary cookie that will expire when they close the window.

Have the server side session file automatically delete itself if the user makes no action for 15 minutes or so. So if they just leave themselves logged in, their session would time out if they tried doing any action in their account.

When they log off, the session should be deleted from the server. If they hit the back button, they'll still see the pages they were on, of course, as this is from browser cache. But if they click a link from those pages, to do an action in their account, they'll get an error because their session expired.

You follow?

 

[hunter13605]

That sounds exactly like what i am looking for. Now, is there a website that you would recomend that would show me how to do this. It is all new to me. I am a quick learner with examples or the code from a site that does the same method. Thanks

 

[Kirsle]

Do you know how to write to files in Perl?

What I would do is, on every action the user makes, write something new to their session file...

open (SES, ">./sessions/$session\.txt");
print SES "updated";
close (SES);

Then, you can do a stat() on the file to see when it was last updated.

my @stats = stat("./sessions/$session\.txt");
my $updated = $stats[9];

# if the file is 15 minutes old...
if (time() - $updated >= (60*15)) {
   # delete it
   unlink ("./sessions/$session\.txt");
}

That should get you started.

Other than that, I don't know of any sites about this, but you can always search Google.

 

[hunter13605]

i somewhat understand the code. I know how to write files on the server but i'm not sure how to write the files to store in the cookies of the users browser.

I have tried to write to files on the server that don't exist and found that it won't create the file if it isn't already there. Is this a setting on the server or is it impossible to do?

 

[Kirsle]

You should be able to create files which don't exist unless there's a server setting preventing it.

As for cookies, use the CGI module.

#!/usr/bin/perl -w

use CGI;

# create an object
my $cgi = new CGI;

# create a couple cookies
my $cookie_a = $cgi->cookie (
   -name => 'firstcookie',
   -value => 'some value',
);
my $cookie_b = $cgi->cookie (
   -name => 'secondcookie',
   -value => 'another value',
);

# print http headers for the cookies
print $cgi->header (-cookie => [ $cookie_a,$cookie_b ]);

You'd print $cgi->header instead of printing "Content-Type: text/html\n\n" like you'd normally do. $cgi->header handles all headers like that, and can also take care of the "Set-Cookie:" headers too.

If you only set one cookie, you don't need the array ref.

print $cgi->header (-cookie => $cookie_a);

 

[hunter13605]

Thanks, i think that is what i needed. I really appreciate your help

 

[hunter13605]

one quick other thing... Instead of the inactivity basis, is there a way to delete the cookie when the user clicks logoff?

 

[audiopro]

I did a similar thing a while back but hit a snag. Some people are still wary about cookies and prevent them - test your script with cookies turned off, too.
You could always append the time value to your URL and check the value on enrty to your PERL script. Encode the 10 digit time value then place it within a much larger randomly created number.

Keith

http://www.studiosoft.co.uk

 

[hunter13605]

I can't assign a time limit because the students would be spending a lot of time typing the information into the form and they would be very mad if it was all lost because the server timed out. Thanks anyways.

 

[audiopro]

If a timeout occurs, re-present the completed form back to them with additional fields for them to log back in and submit the new data.

Keith

http://www.studiosoft.co.uk

 

[hunter13605]

I have decided that the system that i am using now will work fine. If i was writing a program that was requesting any personal information then i would want a secure login system but i have changed my mind on this one. Thanks for all your help.

 

[Rieekan]

Jumping in late, but don't neglect the CGI::Session module. It's specifically made to handle sessions in either a text or database-driven way.

- George