Re: limit access to php page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 30, 2013 at 12:06:02PM -0400, Tedd Sperling wrote:

> On May 29, 2013, at 11:05 PM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx>
> wrote:
> >> http://sperling.com/php/authorization/log-on.php
> > 
> > I realize this is example code.
> > 
> > My question is, in a real application where that $_SESSION['auth']
> > token would be used subsequently to gain entry to other pages, what
> > would you use instead of the simple TRUE/FALSE value? It seems that
> > someone (with far more knowledge of hacking than I have) could
> > rather easily hack the session value to change its value. But then
> > again, I pretty much suck when it comes to working out how you'd
> > "hack" (crack) things.
> > 
> > Paul
> 
> Paul:
> 
> While the above link may be example code, it is still sound for
> production.
> 
> Keep in mind that everything in security comes down to a true/false
> condition. Do you let the person in or not!
> 
> Certainly there are attacks on session ids and one must deal with
> that. But that's the level of security we have today.
> 
> I could go through all the things you need to consider in protecting
> your session id (e.g., not accessing your bank accounts while having
> coffee at StartBucks) but that would defeat the purpose of attending
> one of my classes on the subject. :-)

Yep, next time I'm up at the North Pole, I'll drop in and see you.
Meantime, the beach is heating up. Better go get some more ice for my
margueritas. [grin]

Paul

-- 
Paul M. Foster
http://noferblatz.com
http://quillandmouse.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux