Ok, but i would be very glad to know how can i REALLY authenticate the user. for example, user is logged, so i have in the cookie his login name. how can i be sure that it's the same user and not some hacker who hacked the cookie and the session ? what should be checked and where those data should be stored ? because i can store in DB the sessionID, and check it to every DB request user does...but a sessionID can be easily fake. So what should I do ? Al. On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote:
On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: > > Alain Roger wrote: > > I would like to implement a module access rights in my web application. > > Basically after authentication and authorization. Logged user has a > > particular profile which allow him to have access to some part of the > web > > application. > > > > after reading the security guide from *php*sec.org webpage, i'm confused > > regarding how to store user login and password. > > I mean the encrypted password stored in database is compared to > encrypted > > password that user type. > > > > But where to store login and password once user is logged ? > > > > when i read the security guide it seems that it is not secured enough to > > store them in cookies or in sessions data... > > both can be hacked... So what is the best solution ? > > > > i will use those stored data to check if logged user can have access to > a > > particular part of the web application. > > > > What is your point of view in such domain ? > > Ok, once the user has logged in there is no need to store the password. > Simply store the username or other user details (but not the password) > in the session - that's as secure as it's gonna get. > > *Never* store a password in a cookie. *Ever*. > > -Stut That's right, never store a password in a cookie or session, maybe a little extra security could be added by locking the cookie to a IP address, but even more secure isn't possible. Tijnema -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
-- Alain ------------------------------------ Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
