Please note:
The php-dev list is for developers of PHP (who create/maintain PHP, which
is written in C); questions about programming in PHP should be addressed to
[EMAIL PROTECTED] For more information, please see
php.net/support.php.
---shifted to php-general from php-dev---
> I would like to ask if it is secure to use php sessions when dealing
with form passwords,i.e., submitting and validating passwords online?
>
> Any idea solutions how can I make the processing of passwords secure?
Just a couple of ideas....
1) Never set a cookie containing a password (I suppose you could MD5 encode
it and do it...)
2) Passwords aren't secure in a basic autorization environment, nor are
they secure if they're sent with an HTML form unless you're on an SSL
connection
Poor security: log in with a form or basic authentication; set cookie on
client with username/password combo (vulnerable to network sniffers,
anybody with access to browser's cookie file)
Decent security: log in with form or basic authentication; set cookie with
session id number and store user information in session database (or
session file or in session memory or however your sessions are handled...)
(vulnerable to sniffers)
Good security: perform auth over a secure connection, set cookie with
session id number and store user information (including ip address) in
session database (and check ip address for a match before allowing any
activity with the session)... (vulnerable to somebody copying a sniffed
session id and spoofing the ip address to trick the remote site)
Very good: keep the thing on a secure connection all the time, set a
session id cookie and keep all user info (possibly including remote ip) in
the server's session db... (vulnerable to nothing I can think of at the
moment...)
There are probably more things you could do I haven't thought of... but
this oughta be a decent start ;)
--Toby
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
