>>>>> "Paul" == Paul Bennett <[EMAIL PROTECTED]> writes:
Paul> Given that your proposed solution is arguable far more
Paul> complex, I'm struggling to see the benefits against standard
Paul> application / session-based security. Would you be able to
Paul> outline what you see the benefits being?
I hope you're not arguing that cookie based authentication is:
1. Easy to implement.
2. Has no significant security issues.
On 1, it's very complex, most people won't get it right, and 2. given
the mounting number of significant issues with cookie based
authentication I think it's completely broken. With more and more
wireless networks and the triviality with which many can be broken,
cookies are extremely insecure. If you use a cookie over a wireless
network, and you're not using a vpn, you might as well be advertising
your password in this newsgroup.
So the complexity of this approach is relative to cookie based
complexity, and probably less complex. It's also very much more
secure. And part of the complexity is because browsers don't allow you
to logout, so we need some trickery here. Hopefully this gets fixed if
more people use this approach.
On shared hosting: you get what you pay for obviously.
The benefits are that we don't use cookies, so no privacy concerns,
we're much more secure, security is declarative (PHP frameworks give you
that as well of course), works for every resource including images and
PDFs (which you would have to cloak with PHP otherwise), and we can take
advantages of HTTP (intermediary) caches.
--
Cheers,
Berend de Boer
--~--~---------~--~----~------------~-------~--~----~
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
