Chris Knadle wrote: > On Thursday 15 October 2009, John D. Mort wrote: > > I'm guessing the way to go about this would be to set up > > authentication so that they enter a username/password, if the password > > matches they get a cookie, then as they click around apache queries > > that cookie to determine what content to display. Am I on the right > > track here? > > That sounds like an insecure mostly client-side control method. It may not > matter in this case -- but I'm pointing it out anyway because it doesn't > sound > right. If a user signs up for a new account and then modifies the cookie > sent > then it seems like their access privilages will change without merit.
This is the approach I've always used - the things to remember are: 1) the cookie should be opaque (so no opportunity for privilege escalation) and not easily derivable (so it's not easy to guess the cookie of a logged in user) 2) Always use HTTPS so your auth info doesn't get transmitted in plain text. 3) time out sessions Of course, that still leaves you vulnerable to client side cookie theft, fake SSL certificates, phishing attacks, numerous forms of cross-site scripting, etc. I'm no expert either and it could be I'm just sitting here waiting for my site to get hacked (and now inviting it by posting about it). If you can stomach them, canned solutions are probably a better bet. Another option is just the forms of authhentication built into HTTP, but sadly, these kind of suck. Your browser deals with the authentication and pops up a user-id/password box and you have very little control over the user's experience. > > I'm certainly no web expert, but I've heard others traditionally do this via > authentication to either an SQL or LDAP backend (i.e. some kind of auth > database) but I don't know specifically why. You can use either of these to store user info. Any of the FOSS SQL databases will probably do what you want. > > -- Chris > > -- > > Chris Knadle > [email protected] > _______________________________________________ > Mid-Hudson Valley Linux Users Group http://mhvlug.org > http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug > Upcoming Meetings (6pm - 8pm) MHVLS Auditorium > Oct 7 - Glade - Linux GUIs made easy > Nov 4 - Google Wave > Dec 2 - MythTV > Jan 6 - Git > ============================================================================= michaelMuller = [email protected] | http://www.mindhog.net/~mmuller ----------------------------------------------------------------------------- Society in every state is a blessing, but government even in its best state is but a necessary evil; in its worst state an intolerable one... - Thomas Paine ============================================================================= _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Oct 7 - Glade - Linux GUIs made easy Nov 4 - Google Wave Dec 2 - MythTV Jan 6 - Git
