[thelist] RE: Can cookies be faked?

John.Brooking at NA.SAPPI.COM John.Brooking at NA.SAPPI.COM
Thu Oct 9 06:01:18 CDT 2003

Thank you, Simon, for that enlightening reply. That's a definate security
must-know. (I know, I really must take a class.) Can I ask a follow-up?

The fuller context of my question is that I have a CGI application (Perl)
and I want to control access to the scripts in the /cgi-bin. So far I have
not added much security to it at the application level. It sounds like the
standard approach to security in this situation would be implement a login
screen and check usernames and passwords. If the login succeeds, then give
them the session cookie.

If I'm lazy and don't want to go to the trouble (hypothetically-speaking of
course -- if I must do the login/session thing, I will), what about the
following scenario? I use directory security (such as .htaccess with Apache,
or IIS equivalent) to put a "login" page in a protected directory. The login
page sets the cookie  (such as "authlevel=1"), and only server-side code
checks for it. This way, the cookie is still only available to those who
enter a password. I think I'm basically shifting the authentication off on
the web server itself, rather than including it in my application. If I set
the cookie in client-side JavaScript, as long as it's behind that protected
directory, then I also don't need another server-side script to worry about
anyone running. Does this sound like it would pass the test?

I realize it would not be as flexible, unless there is some way to get from
the web server what username was entered. I know in IIS you get an AUTH_USER
or some such variable. Does Apache also set such a thing as a result of
passing .htaccess protection?

- John
This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 

More information about the thelist mailing list