List:General Discussion« Previous MessageNext Message »
From:Sasha Pachev Date:May 17 1999 6:21am
Subject:Re: PHP Tracking of Variables (was) Per User Password Administration
View as plain text  
Van wrote:
> 
> <snip--anyone interested in this?--snip>
> >
> > Does PHP have support for cookies? If not, or do you not want cookie
> > warnings to be seen by the cookie-paranoid just use a hidden input in
> > the form. If you want to be really "bullet-proof" (well, nothing is
> > really bullet-proof) secure, you should not trust the value of the
> > cookie/hidden input but always authenticate it againt some
> > authentication schema.
> Yeah, Sasha, we have cookie support in PHP.  I can't necessarily
> discredit it either, but, like your insinuations, I fought for 4 hours
> to find a better solution.  I actually had one for a time, but, there
> was a flaw that destroyed that approach (PHP is process-oriented {good
> for security:  I like}, and, destroys putenv vars along it's course.
> I'm for this, but, it obviously creates more work).
> The Cookies solution works, and, is live, now, after a mere 15 minutes
> of finally relegating myself to this approach.  I'm not sold on it, but,
> I'm not sold off it, either.  The cookies die after 60 minutes, and,
> hold the username and a cryptized (via mysql select
> password("password")) call, so, I'm comfortable with that.  Have tested
> it, and, it truly snubs ambivalent attempts to snag the user name back
> to the log on page.
> Things I need now, are (delete cookie:  not native, at 1st glance,
> anyway in PHP, and, change cookie).  I hate to say it, but, this appears
> to be the most efficient approach to authentication schemes.  I know
> there are utilities out there, but, there is overhead in propagating
> these recommendations to the masses who wish to use these solutions over
> the bare-bones PHP/MySQL implementation.  I think many out there, such
> as myself, are looking for:  Okay, I'm writing this app, and, I want to
> write my own authentication, but, I don't want it to be a 4 week
> process.
> 
> In sum:  asp/IIS/mssql/frontpage does this in about a 3-day solution
> (have tested and implemented it), but, the security cost in an app such
> as I'm writing is not acceptable.  4 weeks is chump change in the larger
> scheme.  Cookies is a much smaller risk, since I've found them to be
> pretty server-side honorable.

Using CGI++ cookie security is no longer than an hour job. I do not
think it should take much longer if at all in PHP or Perl. Of course
HTTP == 0.001 security, it just protects you from the average Joe that
likes to click around. A seasoned hacker that has broken into a few
systems down the path of the connections and running a sniffer can see
EVERYTHING going back and forth in plain text (well, the password base64
encoded, but this is just as good as plain text), so for him you might
just as well have published the user names and passwords on your front
page. HTTPS makes this quite a bit more difficult, and the hacker may
find it easier to just gain root access on the web server through some
service.

-- 
Sasha Pachev
http://www.sashanet.com
Thread
Per User Password AdministrationVan13 May
  • Per User Password AdministrationMichael Widenius13 May
  • Re: Per User Password AdministrationChristian Mack14 May
  • PHP Tracking of Variables (was) Per User Password AdministrationVan16 May
  • Re: PHP Tracking of Variables (was) Per User Password Administration (Never Mind)Van16 May
  • Re: PHP Tracking of Variables (was) Per User Password AdministrationSasha Pachev17 May
    • Re: PHP Tracking of Variables (was) Per User PasswordAdministrationShafir17 May
  • Re: PHP Tracking of Variables (was) Per User Password AdministrationVan17 May
  • Re: PHP Tracking of Variables (was) Per User PasswordAdministrationVan17 May
  • Re: PHP Tracking of Variables (was) Per User Password AdministrationSasha Pachev17 May
  • Parsing of Mail files into a DatabaseVan18 May
    • Parsing of Mail files into a DatabaseMichael Widenius22 May
    • Parsing of Mail files into a DatabaseMichael Widenius22 May
  • Now, How to sed on Perl Vars?Van18 May
    • Re: Now, How to sed on Perl Vars?Thimble Smith18 May
  • Re: Now, How to sed on Perl Vars?Van19 May
Re: Parsing of Mail files into a DatabaseVan18 May
  • Re: Parsing of Mail files into a DatabaseDaniel E. White18 May
Re: Parsing of Mail files into a DatabaseVan18 May
  • Re: Parsing of Mail files into a DatabaseDaniel E. White18 May
Re: Parsing of Mail files into a DatabaseVan18 May