Does this seem a reasonably secure session-management system?

Hello all,

I'm writing an online user-registration system and I'd appreciate adice on security.

Users can register by invitation only - invitees are given a username and password prior to visiting the registration page.  When they get there, reegistration is in two steps:
1. Input the username & password they were given
2. A Perl script looks up their record in a MySQL db to validate the input
3. If validated, the script pulls some other information specific to the user, and returns a template page that has a form for more personal info input and a "Confirm registration" button.  But first, it generates a unique session-id and returns it as a hidden field in the new page's form, as well as recording in the db the date & time of the creation of this session.
4. When the user submits the "confirm registration" form, the system checks the session-id for validity and the new submission time against the first one for time-out.  If it's all OK, it completes registration.

Everything is passed in the clear.  This is http, not https.

I need to be reasonably sure bots or hackers are not registering and figure this is a good way.  It's not perfect - but this is not a military or big-bank site or anything.

Critiques, suggestions, all welcome and appreciated.

Thanks.
LVL 1
xfvgdrthbdtyvhgscvAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hbustanCommented:
My Security Advice is related to Points #2 & #3.

You need to ensure that your script is aware of SQL Injection techniques. Simply put, this technique allows hackers to fake validity of entry by placing specific commands on the Username or Password Fields.

My advice for avoiding this problem is to store the passwords encrypted on the database, and before checking validity:

Step 1)  use a function to clear the username given from any non-wanted characters (for instance only accept characters and perhaps numbers in the username).
Step 2) use a function to convert the password entered into the encrypted format
Step 3) Now validate

Although this might sound complicated, this will ensure such techniques fail - also the encrypted function does not need to be complicated just as long as it alters the original password to something else.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.