The timeout (and logout) issues is why I didn't go this way. Like you
say, it's hard to expire a login using the HTTP authentication. cookies
is easier.
I do intend to implement SSL to help with the sniffing - probably mod_ssl
over Apache-SSL.
On Thu, 17 Feb 2000, Robert Goff wrote:
> Date: Thu, 17 Feb 2000 13:59:41 -0700
> From: Robert Goff <robert@stripped>
> To: mark@stripped, mysql@stripped
> Subject: RE: Comments on security.
>
> - The username and password are stored as cookies through the browser. If
> - the cookies don't exist (or have expired), a login screen is displayed.
>
> After initial authentication, why do you need the password passed back in
> the cookie environment? It offers another opportunity for sniffing.
>
> An alternative authentication method is HTTP basic authentication. Username
> and password are handled in separate transactions between the server and the
> client; your php application gets the username from the environment, and the
> password is never available to the application environment. Using it with
> SSL makes the password unsniffable. It does make it harder to timeout a
> login, either with or without SSL.
>
> --
> Better to rule in Hell than to serve in Heaven.
> ===============================================
> Robert Goff robert@stripped
> Technical Writer/Editor, Webmaster 505-564-8959
>
>
--
Mark Ferraretto Phone: +61 8 8396 2448
Ferraretto IT Services Fax: +61 8 8396 7176
26 Observation Drive Mobile: +61 412 959 714
Highbury SA 5089 Email: mark@stripped
