passwords to CGI

Erik Max Francis max at alcyone.com
Wed Jan 15 09:47:41 CET 2003


Will Stuyvesant wrote:

> I don't know about setting up SSL for a site.  Do you think my local
> ISP would support it?  I mean is it normal to expect them to provide
> it?

A professional ISP would, but they may charge you extra.  You'd have to
pay for certificates as well.

> My site is nonexistent yet...I am still in the development phase.  So
> far I have been able to program and design login pages (with
> passwords) and a couple of subsequent pages that use a user ID code
> generated by the login page CGI script: the user ID code is based on
> the current time and passed along via <input type=hidden> tags.  This
> seems to work ok and it would be very hard for somebody else to guess
> a randomly generated user ID code that is only valid a limited time.

I've done similar things, and it's usually sufficient if you're not too
worried about people compromising each other's accounts.  You should
also include the remote host in generating the ID, so that someone can't
sniff it remotely and then use it from another host (while the ID is
still active).  In my case it was a combination of the user name/ID,
host, login time, and a random number, obscured and then fed through an
md5 hash to generate a ticket.

The ensure that when players logout the tickets are invalidated, and
that they expire after a certain amount of time.

-- 
 Erik Max Francis / max at alcyone.com / http://www.alcyone.com/max/
 __ San Jose, CA, USA / 37 20 N 121 53 W / &tSftDotIotE
/  \ Substance is one of the greatest of our illusions.
\__/ Sir Arthur Eddington
    Bosskey.net: Return to Wolfenstein / http://www.bosskey.net/rtcw/
 A personal guide to Return to Castle Wolfenstein.




More information about the Python-list mailing list