I already started to use SSL, but i do not understand how to keep it running. I mean after user has been authenticated and authorized to go further, all next web pages are opened using PHP location(https://...); command. however, it does not certify that it can not be faked by just typing into browser address bar https://another_webpage.php for example : 1.my login page is called "index.php" and it is accessible only by https. if user type http://../index.php, the index.php redirect itself to https://.../index.php. 2. user type logon and password. 3. application control it with information stored into DB and authorize user to go further, so a session is created and user is redirected to https://.../welcome.php what avoid hacker to directly type https://.../welcome.php ? how to be sure that it works correctly as in my example ? thanks a lot, Al. On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote:
Tijnema ! wrote: > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: >> >> Tijnema ! wrote: >> > Give your server a unique ID, and add that to your check string lets >> say >> > so you store in your cookie the username and the check string. >> > >> > example >> > $user = "tijnema"; >> > $server_unique_key = >> > "w#$#%#54dfa4vf4w5$2!@@$<w#$%23%25%2354dfa4vf4w5$2!@@$> >> > "; >> > $check_string = md5($server_unique_key.$user.$server_unqie_key); >> > >> > and check that each time the user does an action. >> >> How, exactly, is that any more secure than a standard session identifier? >> >> While it's good to worry about security, adding pointless activity such >> as this to every request is not going to help. Anything you do is going >> to involve some piece of data being transferred from client to server, >> and can therefore be faked/shared by the client. Get over it. >> >> -Stut > > It is ofcourse possible to share it to another client, but when combining > this with the IP address. This means it can only be used in the same LAN. > To get to the point, using this means you cannot simply fake the > username in > the cookie, which is possible else. session identifiers can be faked too. As I said in another email, you *cannot* use the IP address for any verification without causing usability issues. It is perfectly legitimate for sequential requests from any given user to come from different IP addresses. The biggest user of systems like this is AOL, and that's a fairly large user base you may want to avoid annoying by insisting that they login for every other request. In short, this issue has been discussed to death, not only by the PHP community but also by the web community at large. If you're really paranoid, use SSL to secure all data transferred, but just accept that it's possible that a session may be hijacked. However, unless you're a bank, is anyone really going to bother? -Stut >> On 3/4/07, Alain Roger <raf.news@xxxxxxxxx> wrote: >> >> >> >> Ok, but i would be very glad to know how can i REALLY authenticate the >> >> user. >> >> for example, user is logged, so i have in the cookie his login name. >> >> >> >> how can i be sure that it's the same user and not some hacker who >> hacked >> >> the cookie and the session ? >> >> what should be checked and where those data should be stored ? >> >> >> >> because i can store in DB the sessionID, and check it to every DB >> request >> >> user does...but a sessionID can be easily fake. >> >> >> >> So what should I do ? >> >> >> >> Al. >> >> >> >> On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote: >> >> > >> >> > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: >> >> > > >> >> > > Alain Roger wrote: >> >> > > > I would like to implement a module access rights in my web >> >> > application. >> >> > > > Basically after authentication and authorization. Logged user >> has >> a >> >> > > > particular profile which allow him to have access to some >> part of >> >> > the >> >> > > web >> >> > > > application. >> >> > > > >> >> > > > after reading the security guide from *php*sec.org webpage, i'm >> >> > confused >> >> > > > regarding how to store user login and password. >> >> > > > I mean the encrypted password stored in database is compared to >> >> > > encrypted >> >> > > > password that user type. >> >> > > > >> >> > > > But where to store login and password once user is logged ? >> >> > > > >> >> > > > when i read the security guide it seems that it is not secured >> >> > enough to >> >> > > > store them in cookies or in sessions data... >> >> > > > both can be hacked... So what is the best solution ? >> >> > > > >> >> > > > i will use those stored data to check if logged user can have >> >> access >> >> > to >> >> > > a >> >> > > > particular part of the web application. >> >> > > > >> >> > > > What is your point of view in such domain ? >> >> > > >> >> > > Ok, once the user has logged in there is no need to store the >> >> > password. >> >> > > Simply store the username or other user details (but not the >> >> password) >> >> > >> >> > > in the session - that's as secure as it's gonna get. >> >> > > >> >> > > *Never* store a password in a cookie. *Ever*. >> >> > > >> >> > > -Stut >> >> > >> >> > >> >> > That's right, never store a password in a cookie or session, maybe a >> >> > little >> >> > extra security could be added by locking the cookie to a IP address, >> >> but >> >> > even more secure isn't possible. >> >> > >> >> > Tijnema >> >> > >> >> > -- >> >> > > PHP General Mailing List (http://www.php.net/ ) >> >> > > To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > >> >> > > >> >> > >> >> >> >> >> >> >> >> -- >> >> Alain >> >> ------------------------------------ >> >> Windows XP SP2 >> >> PostgreSQL 8.1.4 >> >> Apache 2.0.58 >> >> PHP 5 >> >> >> > >> >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- Alain ------------------------------------ Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
