Download

More Information

Perl MD5 Secure Login

Changes: This version fixes a bug in the Javascript submit and includes some code cleanup and additional comments.

Changes: Cookies sessions now check the IP address of the client. During the initial user authorization, their IP address is stored, referenced by their cookie ID. The session cookie and the current environment IP address must match during future accesses, or the cookie session validation will fail. Also, if the md5.js javascript file was not installed in the right location, the password would be sent un-encrypted. The javascript md5 code is now output to the browser with a Perl print statement. Since the MD5 algorithm is public, it doesn't matter that people can see the MD5 code.

Changes: The database locking code was integrated into the LoginMD5.pm module to make installation and use easier.

Changes: In this version, the session ID logic was rewritten. Only one response is possible for each session ID. Duplicating a correct response for any particular sessionID will be difficult, since it requires both the client user/password response hash as well as the unique session ID for authentication, and there is a timeout period to respond to any single session ID. These changes make simple sniffing and replaying the response much more difficult. Other changes include the addition of 'addUser.pl' and 'removeUser.pl' command line utilities.

Changes: This release is now in a separate LoginMD5.pm module for easy integration into existing Perl/CGI apps, with a mainProgram.cgi test example. It uses cookies: after a user has successfully logged in, it stores an MD5 encrypted key on the client machine to maintain a user session (for 1 day, by default).