On Sat, 21 Oct 2006 18:16:19 +0200, Dotan Cohen wrote:
> On 21/10/06, Dotan Cohen <dotancohen@xxxxxxxxx> wrote:
>> I'm in the horrible situation where I need a one-page script to hold
>> it's own password and validate itself. I coded this together, I want
>> this lists opinion as to whether or not it holds water, considering
>> the circumstance:
>>
>> <?php
>>
>> $sha1_pw="5218lm849l394k1396dip4'2561lq19k967e'30";
>>
>> if ( $_COOKIE["password"] != sha1($sha1_pw) ) {
>> $varis=explode("/",$PATH_INFO);
>> $pre_password=explode("&",$varis[1]);
>> if ( sha1( substr($pre_password[0],0) ) == $sha1_pw ) {
>> setcookie("password", sha1($sha1_pw) );
>> header("Location: ".$_SERVER["SCRIPT_NAME"]."/".rand(999,99999));
>> exit;
>> } else {
>> print "Fvck Off";
>> exit;
>> }
>> }
>>
>> // REST OF PAGE
>>
>> ?>
>>
>> The idea is that the user could call the page like this:
>> http://server.com/directory/page.php/MyPassword
>> and the page would refresh to not show his password, yet keep him logged in.
>>
>> Thanks for any and all input.
>
> I should probably add more detail. I didn't want even the sha1 hashed
> password stored on in the cookie, so the sha1 hash is sha1 hashed
> again. That way, the password is not stored in plain text anywhere,
> and the sha1 hash of the password is stored only on the server.
>
> Like said, the file must be self-contained. What do the list memebers
> think of this solution? Thanks.
>
> Dotan Cohen
Hi Dotan,
My approach would be to store the password in the $_SESSION array, but be
absolutely sure that cookies are used for session authorization, to
prevent session hijacking. The good thing about using $_SESSION is that
the password, hashed or not, would *never* be sent to the user. Only the
session id.
By the way: substr($pre_password[0],0) serves no purpose :)
Ivo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
