Give your server a unique ID, and add that to your check string lets say so you store in your cookie the username and the check string. example $user = "tijnema"; $server_unique_key = "w#$#%#54dfa4vf4w5$2!@@$<w#$%23%25%2354dfa4vf4w5$2!@@$> "; $check_string = md5($server_unique_key.$user.$server_unqie_key); and check that each time the user does an action. Tijnema ----- Now to the PHP list.... On 3/4/07, Alain Roger <raf.news@xxxxxxxxx> wrote:
Ok, but i would be very glad to know how can i REALLY authenticate the user. for example, user is logged, so i have in the cookie his login name. how can i be sure that it's the same user and not some hacker who hacked the cookie and the session ? what should be checked and where those data should be stored ? because i can store in DB the sessionID, and check it to every DB request user does...but a sessionID can be easily fake. So what should I do ? Al. On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote: > > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: > > > > Alain Roger wrote: > > > I would like to implement a module access rights in my web > application. > > > Basically after authentication and authorization. Logged user has a > > > particular profile which allow him to have access to some part of > the > > web > > > application. > > > > > > after reading the security guide from *php*sec.org webpage, i'm > confused > > > regarding how to store user login and password. > > > I mean the encrypted password stored in database is compared to > > encrypted > > > password that user type. > > > > > > But where to store login and password once user is logged ? > > > > > > when i read the security guide it seems that it is not secured > enough to > > > store them in cookies or in sessions data... > > > both can be hacked... So what is the best solution ? > > > > > > i will use those stored data to check if logged user can have access > to > > a > > > particular part of the web application. > > > > > > What is your point of view in such domain ? > > > > Ok, once the user has logged in there is no need to store the > password. > > Simply store the username or other user details (but not the password) > > > in the session - that's as secure as it's gonna get. > > > > *Never* store a password in a cookie. *Ever*. > > > > -Stut > > > That's right, never store a password in a cookie or session, maybe a > little > extra security could be added by locking the cookie to a IP address, but > even more secure isn't possible. > > Tijnema > > -- > > PHP General Mailing List (http://www.php.net/ ) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- Alain ------------------------------------ Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
