Re: Is there anything wrong with using this for authentication...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 15 Apr 2003, Jonathan Villa wrote:

> Is there anything wrong with using this method for authentication to
> login into an application then to make sure that only the user that is
> logged in able to use/see the application.
>
> 1. after submitting the form, the username and password are used to
> query the database, and if that combination is found, I do the following
>
> $_SESSION['current_user'] = session_id();
> header("admin/main.php");

 header() is a built-in function which allows you to send HTTP Headers to
 the browser.  Ignoring that fact, the rest of the code is fine.

> So in summary, is there anything wrong with this logic?  Can it be
> easily hacked?  Is it best practice?

 Can it be hacked?  Probably.  Depends on how long your sessions live.  If
 I get on your computer, look at your cookie, take that session ID, make my
 own cookie locally, and that session isn't already deleted, yes, I can
 become you.  But that would take a lot of effort.  I don't see any problem
 with it, since session_id's are pretty unguessable.  The only issue would
 be if you were having them log in not via SSL.  Then again, I'm being
 extrodinarily paranoid.

 Most likely, if there is a hack it will be because of a tainted variable,
 a buffer overflow, or a problem with the security of your DB, files, or
 something like that.

 The security you propose is the same as is used on most unix systems,
 assuming the usernames and passwords are stored in an DB server that is
 well maintained and secured, or that the file system that holds the file
 that holds the usernames and passwords is not readable by anyone except
 your application.  Most likely the HTTP server user can read that file,
 and if that's the case, I can write a CGI that, when run by the web
 server, will have the same file permissions and I can read your
 username/password file freely.

Peter
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman@purplecow.com                             http://www.purplecow.com/
---------------------------------------------------------------------------

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux