I cant see any encryption package for Zend though all of the PEAR
crypt packages are either mangling the session id or mangling the
controller application because its encrypted string after base64
encoding adds forward slashes so breaks the param.
On 15/10/2007, at 12:04 PM, Daniel Rossi wrote:
The other thing is I could use some encryption package with a salt
i guess ?
On 13/10/2007, at 10:31 AM, Jared Williams wrote:
-----Original Message-----
From: Daniel Rossi [mailto:[EMAIL PROTECTED]
Sent: 12 October 2007 12:09
To: Zend Framework General
Subject: [fw-general] Securely exposing session id from Zend_Auth
Hi there, tricky question I have a project which is using
Zend_Auth, however when loading a controller via a windows
media player plugin in firefox, the netscape plugin will
attempt to create its own session cookie requring the session
id to be sent in the params to the controller outputting a
playlist. How is it possible to securely expose the session
id, ie encrypting it and adding as a javascript variable , so
it can be sent along with the request to the src of the
plugin object code.
Sorry if this might sound confusing here is how the
javascript code builds the embed like
src='/videocontroller/k/sessionidhere'
My issue is if its exposed is it possible to add the session
cookie into another browser to get around the Zend_Auth login ?
Do you need to access the session for the video url, or is it just
to ensure
that only logged in people can view videos?
If the latter, just create use a unpredictable token. For instance
a hash of
the url, a secret key, and the time. And use a url like
/videocontroller/hash/time . The the video controller can validate
the hash,
check the time isn't too distant, and then stream the video.
Jared
