Home > Archive > PERL CGI Beginners > September 2004 > Cookies v. Hiddent Fields
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Cookies v. Hiddent Fields
|
|
| Siegfried Heintze 2004-09-02, 8:55 pm |
| What is the difference (as far as security goes) between using a cookie and
a hidden field? Are hidden fields cached if we are using SSL? I think not.
If I use a GUID as a session ID in my database and store the GUID in a
hidden field and the user sees the GUID in some GET parameters, is this of
any consequence?
Someone recommend that I don't persist cookies. How do I not persist
cookies?
Thanks,
Siegfried
| |
| Wiggins d Anconia 2004-09-02, 8:55 pm |
| >
> What is the difference (as far as security goes) between using a
cookie and
> a hidden field? Are hidden fields cached if we are using SSL? I think
not.
>
>
None. Both are wide open. SSL simply encrypts the "pipe" between your
server and the client (browser). Everything passing over it, including
cookies and hidden fields, is encrypted, or not if SSL is not employed.
I like the pipe analogy, think of everything that goes from the
browser to the server (and since both cookies and hidden fields are
client side until the client calls to the server) as traveling over a
clear pipe. So if you can see into the pipe, then you can see
everything. Then picture SSL as a wrapper around the pipe, it prevents
you seeing *everything* traveling over the pipe, so then it is up to you
to make sure the connections at either end work (aka browser supports
SSL, server does too, and they have decided to use the covered pipe
instead of the clear one).
>
> If I use a GUID as a session ID in my database and store the GUID in a
> hidden field and the user sees the GUID in some GET parameters, is this of
> any consequence?
>
Depends on what the GUID is made of. Did my other write up of the
authentication idiom not help? work? or the modules suggested by the
other poster?
>
>
> Someone recommend that I don't persist cookies. How do I not persist
> cookies?
>
They shouldn't persist by default, it is usually a question of "how do I
make them persist", whic his covered very clearly here:
http://search.cpan.org/~lds/CGI.pm-...pm#HTTP_COOKIES
http://danconia.org
| |
| Octavian Rasnita 2004-09-04, 8:55 am |
| From: "Siegfried Heintze" <siegfried@heintze.com>
> What is the difference (as far as security goes) between using a cookie
and
> a hidden field? Are hidden fields cached if we are using SSL? I think not.
>
>
Both have the same security.
A hidden field is simpler to be viewd by a user, but a cracker can see them
both.
>
> If I use a GUID as a session ID in my database and store the GUID in a
> hidden field and the user sees the GUID in some GET parameters, is this of
> any consequence?
>
No, no problem, but it depends how you define that hidden field.
For exemple, don't use as hidden fields autoincreasing numbers but always
use random strings.
>
>
> Someone recommend that I don't persist cookies. How do I not persist
> cookies?
>
>
>
Don't put an expiration date and they will not be persistent.
Teddy
|
|
|
|
|