Quoting jblanchard@xxxxxxxxxx:
[snip] Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? [/snip] I suppose that you could do that if you were savvy enough to realize that automatic login to the intranet used a cookie for authentication and you knew how to format the cookie and properly hash a checksum stored in the cookie. The user information stored in the cookie would be verified against the AD via LDAP.
First, let me apologize for having to take it to a basic level. I'll admit that I'm fairly new to web development, but this is something I could *really* use at work and I want to make sure I understand (just to set the stage, we use Windows/Active Directory/MS SQL Server at work, but have decided that future applications will be written in PHP run on Linux/Apache).
So I have a login script that sets a cookie when the user logs in. Then I have an application written in PHP that reads the cookie for authentication purposes.
What would I store in the cookie? Would the username be sufficient (since the cookie was set, we can assume that it was already authenticated through AD, right), or is there something more I can add to the cookie to make the process more secure?
Which leads back to my original question; what would keep me from setting a cookie with, say, my manager's username, fooling the PHP application into thinking I'm her?
I can't help but feel like I'm missing something. Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
