Re: module and access rights

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, but i would be very glad to know how can i REALLY authenticate the user.
for example, user is logged, so i have in the cookie his login name.

how can i be sure that it's the same user and not some hacker who hacked the
cookie and the session ?
what should be checked and where those data should be stored ?

because i can store in DB the sessionID, and check it to every DB request
user does...but a sessionID can be easily fake.

So what should I do ?

Al.

On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote:

On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote:
>
> Alain Roger wrote:
> > I would like to implement a module access rights in my web
application.
> > Basically after authentication and authorization. Logged user has a
> > particular profile which allow him to have access to some part of the
> web
> > application.
> >
> > after reading the security guide from *php*sec.org webpage, i'm
confused
> > regarding how to store user login and password.
> > I mean the encrypted password stored in database is compared to
> encrypted
> > password that user type.
> >
> > But where to store login and password once user is logged ?
> >
> > when i read the security guide it seems that it is not secured enough
to
> > store them in cookies or in sessions data...
> > both can be hacked... So what is the best solution ?
> >
> > i will use those stored data to check if logged user can have access
to
> a
> > particular part of the web application.
> >
> > What is your point of view in such domain ?
>
> Ok, once the user has logged in there is no need to store the password.
> Simply store the username or other user details (but not the password)
> in the session - that's as secure as it's gonna get.
>
> *Never* store a password in a cookie. *Ever*.
>
> -Stut


That's right, never store a password in a cookie or session, maybe a
little
extra security could be added by locking the cookie to a IP address, but
even more secure isn't possible.

Tijnema

--
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>




--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux