radical hacks MD5 Enhanced Authentication Ok, here are the modifications to the authentication library. As per Gunther's suggestions, I made the use of these features optional, by the use of two (2) new setup variables.

Everything is condensed in the three files, included in a single TAR File.

Things ar pretty much straight forward, if the user disables a new auth setup variables, the subroutines for that feature, will revert to "business as usual". So if both are disabled, then you get the everything as if using the normal libraries.

Here are some notes for the users:

The two modifications to the Authentication scripts include the following:
  1. MD5 Encryption
  2. IP secure
MD5 Encryption Allows the use of a far superior encryption algorithim (MD5) for passwords encrypted by the scripts. This is specially useful, if Perl encrypt() function is broken on the Perl interpreter you are using, or you simply whant to make things more complicated for your household hacker. Requirements: - MD5 Perl module installed on the system. - The two substitute perl libraries provided. Drawbacks: - It will render obsolete passwords, stored at a previous user's file. IP Secure Generates a session file, based on the IP passed at logon, by the Borwser. (cgi based Authentication) This will force a new logon prompt, whenever a new IP is assigned such as when creating a new Internet dial up connection through an ISP. I didn't like that fact that: 1) The scripts, were not Authenticaticating anything after a sucessfull logon. 2) The session id, constantly being passed (usually) as clear text between the browser and the server would make it possible for nearly anyone to "hijack" the session id, and gain easy entry to all the protected resources.

It will not turn your web site into a "super bunker", but it will definetly step up cgi based security, quite a bit. Requirements: - The two substitute perl libraries provided. Drawbacks: - Your milage may vary, depending on unforseen problems with Intranets, IP assigned during connection, or things like: wheteher or not you like to "bookmark" pages that include a session id. I made the use of these two features (modifications) optional, by the use of two (2) new auth setup variables. So things should be pretty much straight forward.

If the user disables a new auth setup variables, the subroutines for that feature, will revert to "business as usual". So if both are disabled, then you get the averything as if using the normal libraries. (auth-lib.pl and auth-extra-lib.pl)

Compressed contains: auth-MD5.setup (sample auth setup file) auth-lib-MD5.pl (substitute for: auth-lib.pl) auth-extra-lib-MD5.pl (substitute for aouth-extra-lib.pl)

Everyting you need to know (I hope) is inluded in the comments I made at the files. (### RHP some date)

I enjoy very much my little Authentication hacks, and I hope you will enjoy them too!

Regards,

Ignacio