Hi Rasmus, nice to see you still watching over us on the lists. I feel like
I've been ticked off by my dad though... :)
Rasmus Lerdorf <[EMAIL PROTECTED]> said:
> > I want to use PHP4 sessions for authentication,
>
> Ok, stop right there. Sessions and authentication have nothing to do with
> each other. To create a secure authenticated site you should be using
> HTTP-based authentication over SSL. Sessions are simply for maintaining
> state across http requests and have nothing to do with authentication.
>
Ah, have a little more faith in one of your older users Rasmus. I'm not
talking about the be-all and end-all of authentication here - if I was doing
that, I would set up a PKI. I'm talking about regular authentication on
websites, like thousands - tens of thousands - of sites use every day. Sites
like Hotmail, Yahoo!, even Zend.com, which uses PHP sessions for tracking a
users session after they been authenticated (which is really a follow-on type
of authentication). It also uses the users IP address, which seems a bit icky
for the reasons stated in my previous email, but maybe they've figured a way
around the problem.
What I'm asking is basically "What's the best and easiest way to go about
this?" I have come up with a solution of sorts though, and I'd be interested
in your opinion. I set up a user with a PHP session, and of course a timeout.
If they have cookies turned on, I set another cookie with a hash of the
username and password, or somthing else. But my final line of defense for
users that don't have cookies is a URL and HTTP_REFERER comparison check.
That is, on every request I log the URL requested as a session variable. On
every subsequent request I compare the HTTP_REFERER with the logged URL, and
if they match there's a pretty good chance it's not someone spoofing.
Granted, it's not foolproof, but it'd be pretty hard to spoof, right?
Anyway, I'd be interested in your opinion, and I'd also be interested in
whether you're coming to Dublin for ApacheCon Europe? I hope to meet you
there if you are.
adam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
