We help IT Professionals succeed at work.

Does this seem a reasonably secure session-management system?

Hello all,

I'm writing an online user-registration system and I'd appreciate adice on security.

Users can register by invitation only - invitees are given a username and password prior to visiting the registration page.  When they get there, reegistration is in two steps:
1. Input the username & password they were given
2. A Perl script looks up their record in a MySQL db to validate the input
3. If validated, the script pulls some other information specific to the user, and returns a template page that has a form for more personal info input and a "Confirm registration" button.  But first, it generates a unique session-id and returns it as a hidden field in the new page's form, as well as recording in the db the date & time of the creation of this session.
4. When the user submits the "confirm registration" form, the system checks the session-id for validity and the new submission time against the first one for time-out.  If it's all OK, it completes registration.

Everything is passed in the clear.  This is http, not https.

I need to be reasonably sure bots or hackers are not registering and figure this is a good way.  It's not perfect - but this is not a military or big-bank site or anything.

Critiques, suggestions, all welcome and appreciated.

Watch Question

My Security Advice is related to Points #2 & #3.

You need to ensure that your script is aware of SQL Injection techniques. Simply put, this technique allows hackers to fake validity of entry by placing specific commands on the Username or Password Fields.

My advice for avoiding this problem is to store the passwords encrypted on the database, and before checking validity:

Step 1)  use a function to clear the username given from any non-wanted characters (for instance only accept characters and perhaps numbers in the username).
Step 2) use a function to convert the password entered into the encrypted format
Step 3) Now validate

Although this might sound complicated, this will ensure such techniques fail - also the encrypted function does not need to be complicated just as long as it alters the original password to something else.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.