I am working with Mojolicious web framework to build a small site. I am aiming for strong security. The first step is to secure login information mainly username and password. I want to implement the logic given by the asker of this post Username, Password, Salting, Encrypting, Hash - How does it all work? . The username and password must be at least salted and hashed in a user's browser before they are sent to Mojolicious web server over the internet. I think the best way is to use embedded perl to manipulate the form values and then reassign them so that when 'submit' button is pressed only salted and hashed username,passwords are received inside the controller: The logic in mojolicious would be like(copied from Mojolicious website. MyUsers.pm handles login validation on server and I will tweak it to handle salted and hashed strings.)
#!/usr/bin/env perl
use Mojolicious::Lite;
use lib 'lib';
use MyUsers;
# Helper to lazy initialize and store our model object
helper users => sub { state $users = MyUsers->new };
# /?user=sri&pass=secr3t
any '/' => sub {
my $self = shift;
$self->render('login');
};
any '/' => sub {
my $self = shift;
$self->render('login');
};
any 'check_login' => sub {
my $self = shift;
# Query parameters
my $user = $self->param('user') || '';
my $pass = $self->param('pass') || '';
# Check password
return $self->render(text => "Welcome $user.")
if $self->users->check($user, $pass);
# Failed
$self->render(text => 'Wrong username or password.');
};
app->start;
__DATA__
@@ login.html.ep
% title 'Login Page.';
<form name="input" action="check_login" method="post">
User: <input type="text" name="user"><div>
Pass: <input type="password" name="pass"><div>
<!-- DO SOMETHING HERE to salt and hash $user and $pass before post -->
<input type="submit" value="Submit">
</form>
