Q: How secure is this cookie
Background: I have a hosting reseller account and there are 43 customers. Four years ago I made account history pages for each customer covered with a simple login page (1, below) that calls off this cgi (2) and each account page includes this cookie (3). More web customers are coming on board and account pages include fairly sensitive infomation and I now wonder how secure is this arrangement.
Is it secure?
Would you recommend a different login arrangement?
Thank you !
(says Richard)
1) login.php includes this form:
- Code: Select all
<form id="ID" action="destinationURL/cgi-bin/login.cgi" method="post" name="theForm">
Account reference <input name="password" title="login" onfocus="formInUse = true;">
<input type="submit" value="login">
</form>
</div>
2) login.cgi
- Code: Select all
#!/usr/bin/perl
use strict;
use CGI::Cookie;
use CGI qw(:standard);
my %urlList = ("password1" => "destinationURL/account-page.php",
"password2" => "destinationURL/another-account-page.php",
"password3" => "destinationURL/another-account-page.php",
"end" => "" );
my $invalidurl = "destinationURL/404.php";
my $password = param ('password');
my $q = new CGI;
if (exists($urlList{$password})) {
my $validurl = $urlList{$password};
my $cookie = $q->cookie(-name => "validpassword", -value => "0", -path => "/");
print $q->redirect (-url =>$validurl, -cookie => $cookie);
}
else {
print $q->redirect (-url =>$invalidurl);
}
3) account-page.php
- Code: Select all
<script type="text/javascript">
<!--
function getCookieValue (cookieName) {
var exp = new RegExp (cookieName + "=([^;]+)");
if (exp.test (document.cookie + ";")) {
exp.exec (document.cookie + ";");
return unescape(RegExp.$1);
}
else return false
}
var invalidpassword = "destinationURL/404.php";
if (!getCookieValue ("validpassword")) {
location.replace (invalidpassword);
}
else {
var myCookie = getCookieValue ("password");
if (myCookie != "0") {location.replace (myCookie);}
}
//-->
</script>