But where do you store the $server_unique_key ? in DB ? if yes, it should be different for each user logged-in to system. Moreover, the $chec_string algorithm should not written in cookie as it is a weakness from my point of view. Alain On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote:
Give your server a unique ID, and add that to your check string lets say so you store in your cookie the username and the check string. example $user = "tijnema"; $server_unique_key = "w#$#%#54dfa4vf4w5$2!@@$<w#$%23%25%2354dfa4vf4w5$2!@@$> "; $check_string = md5($server_unique_key.$user.$server_unqie_key); and check that each time the user does an action. Tijnema ----- Now to the PHP list.... On 3/4/07, Alain Roger <raf.news@xxxxxxxxx> wrote: > > Ok, but i would be very glad to know how can i REALLY authenticate the > user. > for example, user is logged, so i have in the cookie his login name. > > how can i be sure that it's the same user and not some hacker who hacked > the cookie and the session ? > what should be checked and where those data should be stored ? > > because i can store in DB the sessionID, and check it to every DB request > user does...but a sessionID can be easily fake. > > So what should I do ? > > Al. > > On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote: > > > > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: > > > > > > Alain Roger wrote: > > > > I would like to implement a module access rights in my web > > application. > > > > Basically after authentication and authorization. Logged user has a > > > > particular profile which allow him to have access to some part of > > the > > > web > > > > application. > > > > > > > > after reading the security guide from *php*sec.org webpage, i'm > > confused > > > > regarding how to store user login and password. > > > > I mean the encrypted password stored in database is compared to > > > encrypted > > > > password that user type. > > > > > > > > But where to store login and password once user is logged ? > > > > > > > > when i read the security guide it seems that it is not secured > > enough to > > > > store them in cookies or in sessions data... > > > > both can be hacked... So what is the best solution ? > > > > > > > > i will use those stored data to check if logged user can have access > > to > > > a > > > > particular part of the web application. > > > > > > > > What is your point of view in such domain ? > > > > > > Ok, once the user has logged in there is no need to store the > > password. > > > Simply store the username or other user details (but not the password) > > > > > in the session - that's as secure as it's gonna get. > > > > > > *Never* store a password in a cookie. *Ever*. > > > > > > -Stut > > > > > > That's right, never store a password in a cookie or session, maybe a > > little > > extra security could be added by locking the cookie to a IP address, but > > even more secure isn't possible. > > > > Tijnema > > > > -- > > > PHP General Mailing List (http://www.php.net/ ) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > -- > Alain > ------------------------------------ > Windows XP SP2 > PostgreSQL 8.1.4 > Apache 2.0.58 > PHP 5 >
-- Alain ------------------------------------ Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
