Re: LDAP and Single Sign On MORE THOUGHTS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rick Emery wrote:

Quoting jblanchard@xxxxxxxxxx:


You could just store a username, since they have already authenticated,
but a cookie with just a username would be easy to duplicate. My current
thought is to hash a checksum of some sort and storing that in the
cookie as well. That way you avoid the username only problem. I do not
want to store the users password in any format in the cookie. I am
thinking that the login script will cause a cookie to be written (via
PHP) with a base64 encoded
(http://www.php.net/manual/en/function.base64-encode.php) string or some
other hash method. Then that string could be decoded when the user
accesses the intranet site and compared against whatever criteria you
deem necessary.
Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be 

I wouldn't do it like that....

instead stick the username in the cookie in plaintext and as a oneway encoded
hash (the hash creation could make use of a fixed, secret prefix string [amongst
other things) to make it secure] - then to check the cookie you take the
plain text name perform the same hash creation routine on it and compared the results
of that with the encoded hash that was sent in the cookie - if they match the
cookie could be considered valid and untampered.

the basic jist being don't use two way encryption, use a oneway hash like sha1().
safe as long as nobody ever figures out what I'm encoding and how I'm encoding it. What would be great would be if the value that gets encoded could somehow be dynamic (like the current time, or even a randomly generated string). But then how would the PHP script know what the decoded value is supposed to be? Hmmm...something to think about. 

well you can stick it in the session ... but like I said decoding is an
unnecessary step it seems to me (given that you can achieve the validation
using a oneway encryption method)




I have not tested this though. It is on my task list for next week
though. :)



Let us know how it goes!

Thanks,
Rick



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux