2007. 03. 5, hétfő keltezéssel 15.05-kor Alain Roger ezt írta: > I already started to use SSL, but i do not understand how to keep it > running. > > I mean after user has been authenticated and authorized to go further, all > next web pages are opened using PHP location(https://...); command. > however, it does not certify that it can not be faked by just typing into > browser address bar https://another_webpage.php > > for example : > 1.my login page is called "index.php" and it is accessible only by https. if > user type http://../index.php, the index.php redirect itself to > https://.../index.php. > 2. user type logon and password. > 3. application control it with information stored into DB and authorize user > to go further, so a session is created and user is redirected to > https://.../welcome.php > > what avoid hacker to directly type https://.../welcome.php ? > how to be sure that it works correctly as in my example ? you should check the session settings in the beginning of welcome.php if session is not set correctly redirect to index.php instead greets Zoltán Németh > > thanks a lot, > > Al. > > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: > > > > Tijnema ! wrote: > > > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: > > >> > > >> Tijnema ! wrote: > > >> > Give your server a unique ID, and add that to your check string lets > > >> say > > >> > so you store in your cookie the username and the check string. > > >> > > > >> > example > > >> > $user = "tijnema"; > > >> > $server_unique_key = > > >> > "w#$#%#54dfa4vf4w5$2!@@$<w#$%23%25%2354dfa4vf4w5$2!@@$> > > >> > "; > > >> > $check_string = md5($server_unique_key.$user.$server_unqie_key); > > >> > > > >> > and check that each time the user does an action. > > >> > > >> How, exactly, is that any more secure than a standard session > > identifier? > > >> > > >> While it's good to worry about security, adding pointless activity such > > >> as this to every request is not going to help. Anything you do is going > > >> to involve some piece of data being transferred from client to server, > > >> and can therefore be faked/shared by the client. Get over it. > > >> > > >> -Stut > > > > > > It is ofcourse possible to share it to another client, but when > > combining > > > this with the IP address. This means it can only be used in the same > > LAN. > > > To get to the point, using this means you cannot simply fake the > > > username in > > > the cookie, which is possible else. session identifiers can be faked > > too. > > > > As I said in another email, you *cannot* use the IP address for any > > verification without causing usability issues. It is perfectly > > legitimate for sequential requests from any given user to come from > > different IP addresses. The biggest user of systems like this is AOL, > > and that's a fairly large user base you may want to avoid annoying by > > insisting that they login for every other request. > > > > In short, this issue has been discussed to death, not only by the PHP > > community but also by the web community at large. If you're really > > paranoid, use SSL to secure all data transferred, but just accept that > > it's possible that a session may be hijacked. However, unless you're a > > bank, is anyone really going to bother? > > > > -Stut > > > > >> On 3/4/07, Alain Roger <raf.news@xxxxxxxxx> wrote: > > >> >> > > >> >> Ok, but i would be very glad to know how can i REALLY authenticate > > the > > >> >> user. > > >> >> for example, user is logged, so i have in the cookie his login name. > > >> >> > > >> >> how can i be sure that it's the same user and not some hacker who > > >> hacked > > >> >> the cookie and the session ? > > >> >> what should be checked and where those data should be stored ? > > >> >> > > >> >> because i can store in DB the sessionID, and check it to every DB > > >> request > > >> >> user does...but a sessionID can be easily fake. > > >> >> > > >> >> So what should I do ? > > >> >> > > >> >> Al. > > >> >> > > >> >> On 3/4/07, Tijnema ! <tijnema@xxxxxxxxx> wrote: > > >> >> > > > >> >> > On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote: > > >> >> > > > > >> >> > > Alain Roger wrote: > > >> >> > > > I would like to implement a module access rights in my web > > >> >> > application. > > >> >> > > > Basically after authentication and authorization. Logged user > > >> has > > >> a > > >> >> > > > particular profile which allow him to have access to some > > >> part of > > >> >> > the > > >> >> > > web > > >> >> > > > application. > > >> >> > > > > > >> >> > > > after reading the security guide from *php*sec.org webpage, > > i'm > > >> >> > confused > > >> >> > > > regarding how to store user login and password. > > >> >> > > > I mean the encrypted password stored in database is compared > > to > > >> >> > > encrypted > > >> >> > > > password that user type. > > >> >> > > > > > >> >> > > > But where to store login and password once user is logged ? > > >> >> > > > > > >> >> > > > when i read the security guide it seems that it is not secured > > >> >> > enough to > > >> >> > > > store them in cookies or in sessions data... > > >> >> > > > both can be hacked... So what is the best solution ? > > >> >> > > > > > >> >> > > > i will use those stored data to check if logged user can have > > >> >> access > > >> >> > to > > >> >> > > a > > >> >> > > > particular part of the web application. > > >> >> > > > > > >> >> > > > What is your point of view in such domain ? > > >> >> > > > > >> >> > > Ok, once the user has logged in there is no need to store the > > >> >> > password. > > >> >> > > Simply store the username or other user details (but not the > > >> >> password) > > >> >> > > > >> >> > > in the session - that's as secure as it's gonna get. > > >> >> > > > > >> >> > > *Never* store a password in a cookie. *Ever*. > > >> >> > > > > >> >> > > -Stut > > >> >> > > > >> >> > > > >> >> > That's right, never store a password in a cookie or session, maybe > > a > > >> >> > little > > >> >> > extra security could be added by locking the cookie to a IP > > address, > > >> >> but > > >> >> > even more secure isn't possible. > > >> >> > > > >> >> > Tijnema > > >> >> > > > >> >> > -- > > >> >> > > PHP General Mailing List (http://www.php.net/ ) > > >> >> > > To unsubscribe, visit: http://www.php.net/unsub.php > > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > > >> >> > > >> >> -- > > >> >> Alain > > >> >> ------------------------------------ > > >> >> Windows XP SP2 > > >> >> PostgreSQL 8.1.4 > > >> >> Apache 2.0.58 > > >> >> PHP 5 > > >> >> > > >> > > > >> > > >> > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
