List:General Discussion« Previous MessageNext Message »
From:Van Date:May 17 1999 5:23am
Subject:Re: PHP Tracking of Variables (was) Per User Password Administration
View as plain text  
<snip--anyone interested in this?--snip>
> 
> Does PHP have support for cookies? If not, or do you not want cookie
> warnings to be seen by the cookie-paranoid just use a hidden input in
> the form. If you want to be really "bullet-proof" (well, nothing is
> really bullet-proof) secure, you should not trust the value of the
> cookie/hidden input but always authenticate it againt some
> authentication schema.
Yeah, Sasha, we have cookie support in PHP.  I can't necessarily
discredit it either, but, like your insinuations, I fought for 4 hours
to find a better solution.  I actually had one for a time, but, there
was a flaw that destroyed that approach (PHP is process-oriented {good
for security:  I like}, and, destroys putenv vars along it's course. 
I'm for this, but, it obviously creates more work).
The Cookies solution works, and, is live, now, after a mere 15 minutes
of finally relegating myself to this approach.  I'm not sold on it, but,
I'm not sold off it, either.  The cookies die after 60 minutes, and,
hold the username and a cryptized (via mysql select
password("password")) call, so, I'm comfortable with that.  Have tested
it, and, it truly snubs ambivalent attempts to snag the user name back
to the log on page.  
Things I need now, are (delete cookie:  not native, at 1st glance,
anyway in PHP, and, change cookie).  I hate to say it, but, this appears
to be the most efficient approach to authentication schemes.  I know
there are utilities out there, but, there is overhead in propagating
these recommendations to the masses who wish to use these solutions over
the bare-bones PHP/MySQL implementation.  I think many out there, such
as myself, are looking for:  Okay, I'm writing this app, and, I want to
write my own authentication, but, I don't want it to be a 4 week
process.

In sum:  asp/IIS/mssql/frontpage does this in about a 3-day solution
(have tested and implemented it), but, the security cost in an app such
as I'm writing is not acceptable.  4 weeks is chump change in the larger
scheme.  Cookies is a much smaller risk, since I've found them to be
pretty server-side honorable.

Any comments, of course would be more than welcome.  
Best Regards,
Van
- 
=========================================================================
Linux rocks!!!   www.dedserius.com
=========================================================================
Thread
Per User Password AdministrationVan13 May
  • Per User Password AdministrationMichael Widenius13 May
  • Re: Per User Password AdministrationChristian Mack14 May
  • PHP Tracking of Variables (was) Per User Password AdministrationVan16 May
  • Re: PHP Tracking of Variables (was) Per User Password Administration (Never Mind)Van16 May
  • Re: PHP Tracking of Variables (was) Per User Password AdministrationSasha Pachev17 May
    • Re: PHP Tracking of Variables (was) Per User PasswordAdministrationShafir17 May
  • Re: PHP Tracking of Variables (was) Per User Password AdministrationVan17 May
  • Re: PHP Tracking of Variables (was) Per User PasswordAdministrationVan17 May
  • Re: PHP Tracking of Variables (was) Per User Password AdministrationSasha Pachev17 May
  • Parsing of Mail files into a DatabaseVan18 May
    • Parsing of Mail files into a DatabaseMichael Widenius22 May
    • Parsing of Mail files into a DatabaseMichael Widenius22 May
  • Now, How to sed on Perl Vars?Van18 May
    • Re: Now, How to sed on Perl Vars?Thimble Smith18 May
  • Re: Now, How to sed on Perl Vars?Van19 May
Re: Parsing of Mail files into a DatabaseVan18 May
  • Re: Parsing of Mail files into a DatabaseDaniel E. White18 May
Re: Parsing of Mail files into a DatabaseVan18 May
  • Re: Parsing of Mail files into a DatabaseDaniel E. White18 May
Re: Parsing of Mail files into a DatabaseVan18 May