Hello all,
This may be a FAQ somewhere so just point me there if this is the case.
I am using MySQL + PHP + apache to write an application that requires
row-level security (I posted a message about this a week or two ago).
It's all in place now but I'd like some feeback on my implementation
especially with a view to potential security holes.
I don't use MySQL security. This is because it can't provide row-level
security and can be bypassed using a client that's not mine.
So, access to the database is through a single mysql user who has complete
rights to the database. I have created some security tables and I use
them to control access.
The username and password are stored as cookies through the browser. If
the cookies don't exist (or have expired), a login screen is displayed.
How does this look? The mysql user and password exist in plain text in a
.php file. Can this ever be retrieved by a user or will apache always
generate the html when it sees that it's a php file?
What are the security implications of using cookies? I have the plaintext
username in one cookie and the mysql-encrypted password in another.
Neither cookie is called 'user' or 'password' or something like that.
I've kept the names cryptic.
Thanks for your input.
Mark
--
Mark Ferraretto Phone: +61 8 8396 2448
Ferraretto IT Services Fax: +61 8 8396 7176
26 Observation Drive Mobile: +61 412 959 714
Highbury SA 5089 Email: mark@stripped
