How secure is this .cgi and .js cookie arrangement

Alles, was Perl betrifft, kann hier besprochen werden.

How secure is this .cgi and .js cookie arrangement

Postby Schroder » 04. January 2012 11:32

In anticipation, thank you.

Q: How secure is this cookie

Background: I have a hosting reseller account and there are 43 customers. Four years ago I made account history pages for each customer covered with a simple login page (1, below) that calls off this cgi (2) and each account page includes this cookie (3). More web customers are coming on board and account pages include fairly sensitive infomation and I now wonder how secure is this arrangement.

Is it secure?

Would you recommend a different login arrangement?

Thank you !

(says Richard)

1) login.php includes this form:
Code: Select all
 <form id="ID" action="destinationURL/cgi-bin/login.cgi" method="post" name="theForm">
Account reference  <input name="password" title="login" onfocus="formInUse = true;"> 
<input type="submit" value="login">
</form>
</div>


2) login.cgi
Code: Select all
 #!/usr/bin/perl
use strict;
use CGI::Cookie;
use CGI qw(:standard);

my %urlList = ("password1" => "destinationURL/account-page.php",
      "password2" => "destinationURL/another-account-page.php",
      "password3" => "destinationURL/another-account-page.php",
      "end" => ""              );

my $invalidurl = "destinationURL/404.php";

my $password = param ('password');
 
my $q = new CGI;
if (exists($urlList{$password})) {

  my $validurl = $urlList{$password};
  my $cookie = $q->cookie(-name => "validpassword", -value => "0", -path => "/");
  print $q->redirect (-url =>$validurl, -cookie => $cookie);
}
else {

  print $q->redirect (-url =>$invalidurl);
}



3) account-page.php
Code: Select all
<script type="text/javascript">
<!--
function getCookieValue (cookieName) {
  var exp = new RegExp (cookieName + "=([^;]+)");
  if (exp.test (document.cookie + ";")) {
    exp.exec (document.cookie + ";");
    return unescape(RegExp.$1);
  }
  else return false
}

var invalidpassword  = "destinationURL/404.php";
if (!getCookieValue ("validpassword")) {
  location.replace (invalidpassword);
}
else {

  var myCookie = getCookieValue ("password");

  if (myCookie != "0") {location.replace (myCookie);}
}
//-->
</script>
Schroder
 
Posts: 4
Joined: 04. January 2012 10:33
Operating System: windows 7

Return to Perl

Who is online

Users browsing this forum: No registered users and 2 guests