perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [Newbie Q] Cleanest way to implement one logon per user?
Date Thu, 01 Aug 2002 19:21:35 GMT
This isn't strictly a mod_perl thing but this is probably the safest way 
to make  this happen. This happens to be how I've created a secure (by my 
definition. correct me if I get something wrong) web application.

Pipe everything through an SSL tunnel
The initial logon is username + password. A session id # is incremented 
and stored on the web client in a cookie. A md5 hash of that session id 
and a stored secret on the server is also passed to the web client and 
stored in a cookie. From here on out the web client must present an 
accurate session id # + md5 hash. While the session # is predictable it is 
guaranteed to be unique. The hash prevents users from modifying the 
session# since an attacker would not be able to create the correct hash 
for other session #s.

So from there a user session table only holds one stored session # / hash 
per username. This would allow one authenticated user to have many open 
windows but would not allow multiple sessions per user. You can extend 
this concept to force a user to use only a single browser window though 
that is pretty draconian.


Baljit Sethi <>
08/01/2002 02:08 PM

        To:     "''" <>
        Subject:        [Newbie Q] Cleanest way to implement one logon per user?

I am hoping someone can point me in the right direction. 
What I want to do is limit client logons to one logon per username ie 
while a client has a session open, he/she cannot logon to the website from 
another terminal.
Platform: Apache 1.3.x with mod_perl & DBI 
I have looked high and low, gone through Apache book after book with no 
measurable success (mod_usertrack & mod_session are the only modules 
briefly mentioned).
If someone could just point me in the right direction, I will gladly do 
all the required research. 
Ballay :) 

View raw message