Course: ITSE6079 CGI Programming Techniques
Instructor: Ashley Rosilier cgi@iteachu.com
Dates: Aug. 4 - Sept. 12, 2003

 Class Quick Links
Syllabus Roster Grades Schedule Forums Chat Lessons Projects
[an error occurred while processing this directive]
 
On-line Tutorials College Credit Continuing Ed. Certifications

Home > Continuing Education > CGI Programming > Lessons > Lesson 9

 

Lesson 9 - Security

Due Date - Mon., Sept. 8

Lesson Outline

Download

Required Reading

  1. WWW: Web Security: A Survey (focus on first three sections)
  2. CGI 101: Chapter 16
  3. WWW: CGI Security
  4. WWW: Security Issues when Installing and Customizing Pre-Built Web Scripts
  5. WWW: Boxed and Wrapped
  6. WWW: Controlling Access to your Pages with .htaccess
  7. WWW: eCommerce FAQ
  8. WWW: SSL Secure Server Tutorial (including the six bulleted links)

Additional Resources

An important component of CGI security is a secure server configuration. You may want to review the Apache configuration notes from BigNoseBird. And DevShed has an in depth look at making a secure server setup.

One new standard coming into play is the use of SSH instead of telnet for remote access to web servers.

There is always debate about which operating system is more secure. An interesting read is this article about a PCLabs test between Linux and NT.

The W3 Security FAQ has much of the same information as the articles required above, but be sure to at least review the list of scripts with known security bugs.

For more information on using Perl's taint mechanism, check out this article from ZDnet.

CGI Programming on with Perl has an excellent chapter on CGI security issues.

It's important to remain abreast of current security news. Here are some good sites to visit regularly: CERT, Phrack, SecurityFocus.

The crypt function is built into perl, C, UNIX, and others. To see what the output looks like, try this neat-o script. And perl.com has a page showing you how to use crypt.

Encryption is a massive subject in and of itself. Here is a good starting point for further investigation.

There are other methods besides .htaccess for password protecting directories, but .htaccess is generally considered more secure because it's built into the web server. If you want to see what other options are out there, check out the scripts in the public domain. The general alternative approach would be to funnel all requests through a CGI script that would prompt for a password or check for a cookie and compare against a database of valid passwords. This is similar to what you will do in project 5. Note that if you store the password in a cookie, you should encrypt it first.

Note that .htaccess files can do more than just set up password protection, although your ISP may limit what you can do with them.

In the eCommerce arena, companies like Gomez.com are trying to increase security by certifiying internet merchants.

Next Step

Take the self-quiz

Start project 6

Continue to lesson 10

Jump to Forums [Lesson 9]

 
About iTeachU
Programs Offerred
Library
Book Store
Other Resources

Course Access
 

 

 

Home > Continuing Education > CGI Programming > Lessons > Lesson 9
On-line Tutorials College Credit Continuing Ed. Certifications

 

info@iteachu.com

© Copyright 2001-2002 iTeachU All Rights Reserved