On 11 Oct 2008, at 20:18, Alain Roger wrote:
to have access to my web application, user needs to log in. Before
to send
login/password over the net, user is directly redirected to HTTPS
version of
my web application in case he did not write HTTPS:// at the address
bar.
once he types login/password, everything is checked with DB data and
if it
is correct, so he's granted right to continue and he redirected to
another
HTTPS web page.
i would like improve security but i'm not sure it make sense as
HTTPS is
used.
SSL secures the data transmission from client to server and there's
nothing currently available that provides better security at that level.
therefore i was thinking to request for each stored procedures (all
my SQL
requests are in stored procedures) login and password (stored into
session)... but does it make really sense ?
First of all, IMHO there are no valid reasons for storing passwords in
the session. If you think you have one I'm betting your architecture
is either overly complicated or just plain wrong.
Secondly, I see no security advantage in requiring a username and
password to be passed along with each stored procedure request. Aside
from the extra overhead, if someone gets access to your database you
have other problems which won't be solved by requiring a username and
password to execute stored procedures.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
