Up Prev Next
From: jrisley at nex-web4 dot corp dot fedex dot com (Jason Risley)
Subject: RE: I need a simple encryption subroutine, to encrypt/decrypt a string
Date: Feb 18 1999 5:35PM
For and app that I have where security is an issue, I do the following:
1. Gather initial password from Login Page,
2. Check to see if password is valid.
3. If not valid revoke access.
4. If valid, randomize a session key.
5. I associate and store the randomized session key to the password.
6. Each time the session key is used that record is timestamped.
7. I also have a cron job setup for every fifteen minutes, that if a session
key's timestampe is greater than 16 minutes old, then the session key record
is deleted and the user is required to relogin to continue (which generates
a new session key).
Also, in the session record contains additional information that I track
specific to the application.
Granted the above is a little bit more work, but it does keep things tight
as is required for the app.
> -----Original Message-----
> From: owner-SYBPERL-L@listproc.net
> [mailto:owner-SYBPERL-L@listproc.net]On Behalf Of Steve Allen
> Sent: Thursday, February 18, 1999 10:51 AM
> To: SybPerl Discussion List
> Cc: 'Steve Allen'; SybPerl Discussion List
> Subject: Re: I need a simple encryption subroutine, to encrypt/decrypt a
> I have a form created in html which a password is input, this
> form will be used by
> many people to access the application, I then need to use the
> POST method in cgi
> which executes the main perl script diary application.
> the problem is the password is passed as a variable in the query
> string and only
> this user would see the password on how leaving his desk leaves
> his password is
> wide open as it will show in the browser. this password is the
> main password to
> access the SQLSERVER database. the simplest method is to encript
> the password when
> passed to the second perl script using "POST" method then when
> the diary is
> regularly refreshed the password which will then be bookmarked
> will show the
> variable and the encripted password, when the variable is checked
> it can then be
> decrypted and used to access the database
> so all I need is a bit of perl to read the string, and convert to
> something, and
> then be able to unconvert when database connection is required.
> I am not to sure how to manipulate a string in perl like you would do in C
> ie newstr[i] = oldstr[i] + 'A' for instance
> Chris Jack wrote:
> > I am not clear why you need encryption. Are you worried about
> some security
> > problem - if so what? What operating system are you using?
> > Is it the case that what you need is a mechanism whereby you invoke an
> > application with a password. Furthermore you do not want people to
> > eavesdrop upon that password. If so, how do believe people
> would do this in
> > your environment? If your problem is simply that you pass the
> password on
> > the command line and people can then do process listings to
> view it, there
> > are other mechanisms you could use to pass the password. For
> instance you
> > could invoke the Perl script as a pipe and pass the password on STDIN.
> > In a more general sense, it is easier to advise on a solution
> to a problem
> > if you give complete details of the problem rather than asking
> for advice
> > on implementing one possible solution.
> > Chrisj
> > -----Original Message-----
> > From: Steve Allen [SMTP:firstname.lastname@example.org]
> > Sent: Thursday, February 18, 1999 3:11 PM
> > To: email@example.com
> > Cc: SybPerl Discussion List
> > Subject: Re: I need a simple encryption subroutine, to
> encrypt/decrypt a
> > string
> > Chris Jack wrote:
> > > Perl has a function called crypt() that you could look at but
> that only
> > > does encryption (why do you need to decrypt?). Alternatively you could
> > get
> > > PGP off the net. You could also try looking at the secure_rpc
> routines if
> > > they are available on your platform.
> > >
> > > It would be useful if you could give a little bit more
> information about
> > > what you are trying to achieve. Do you want to force users to access
> > Sybase
> > > only through applications controlled by you or what?
> > I need to pass the information between forms ie perl/sybperl
> script which
> > access a
> > database. Based on selections made it reconnects to the db,
> currently this
> > is passed
> > on the query string but I need to encrypt/decrypt when I read
> the variable
> > I need to
> > decrypt it so I can access the database as the user.
> > A main entry form takes the original password
> > Kind Regards
> > Steve Allen.
> Sybase (UK) LTD email: firstname.lastname@example.org
> Sybase Court direct: 01628 597130
> Crown Lane tel: 01628 597111
> Maidenhead fax: 01628 597112
> Berkshire http: www.sybase.com
> SL6 8QZ