[Catalyst] Re: fine Authentication
David Storrs
dstorrs at dstorrs.com
Thu Aug 4 19:04:45 CEST 2005
On Aug 4, 2005, at 11:42 AM, Jürgen Peters wrote:
> On Thu, 4 Aug 2005 18:14:14 +0300, Vlad Bazon wrote
>> On the other hand, in order to avoid to <manually> modify the data of
>> a other user - a solution could be the (banal) extension of the
>> controller code with:
>>
>> [code that relies on checking for GET calls vs username/password]
>> Am I wrong?
>>
>
> yes, you are. many users are able to save and edit the html page to
> fake a
> POST request. and thats just the trivial way. being a programmer, i
> could
> always write a perlscript which pretends to be a browser doing a
> POST request.
> and that's not hard to do either, even for script kiddies.
> just use serious authentication which requires some hard guessable
> information
> from the user. everything else is rubbish.
Succintly, albeit indelicately, put. :>
Vlad, Jürgen is right on the money. If you want to do
authentication, ask the user for a username and password, then check
this information against the database. Anything less than that is
completely useless.
For detailed directions on how to do this, look here: http://
dev.catalyst.perl.org/wiki/MoreFAQ
It provides a discussion, further pointers, and a complete (tested)
Login.pm for you.
Also, could you please bottom-post (or, best of all, intermix) future
replies? It makes it easier to follow the conversation.
--Dks
More information about the Catalyst
mailing list