Brad Hubbard wrote:
> On Tue, 16 Apr 2002 14:51, Manuel Lemos did align ASCII characters thusly:
> > > > then stored in cookie. The security weakness of this method is that if
> > > > the secret key leaks, hackers may use to forge new sessions.
> > >
> > > Is this documented anywhere?
> > Anyway what part didn't you
> > understand?
> I think I understand all of it. Serialization of a session (or session
> object) is fairly straightforward and I know how to store that in a cookie. I
> was just hoping there was a "cookbook" out there. Don't have any classes on
> your site that do this do you?  ;-)

Oh, sure, lots of them. It just depends on what exactly you would like
to see. Why don't you just take a look around to see if you find what
you want?

Here you may see all in there about authentication and sessions.


Actually it could be simpler like this:




As for cookbook, you may want to take a look at Sterling's PHP Cookbook.
Sterling is "nuts", but the book is good and has an whole chapter on
sessions and another on LDAP which maybe an option depending on exactly
you want to do. 


Talking about books, the new Professional PHP 4 Programming is also a
very good book that addresses these issues. I have just reviewed it and
all I can say is that WROX books really rocks! :-)


> > > > accesses to just one after the server is restarted. This is probably
> > > > the one you want to use as long you know how to deal with shared memory
> > > > and semaphores.
> > >
> > > Is this documented anywhere?
> >
> > Probably only in my mind . :-)
> Can I borrow it????

I'm afraid I need it now. Try again in a few decades maybe. :-)

Seriously, there is no big deal about it. It was also mentioned that
PHPlib seems to do that already, although I never tried it.

> > I guess you mean HTTP based authentication.
> Yes.
> > No, AFAIK that is very
> > unsecure because you can't end a "session" because browsers cache
> > authenticated passwords and only drop them (of they do, IE may not do
> > it) when you quit your browser. If you leave your browser terminal for
> > some time, somebody may come in and take advantage of your account
> > privileges.
> The physical security of the users machine is their responsibility. I'm
> looking for good security, ease of implementation, and scalability.
> At the moment it seems to be a case of "pick any two".

Suggestion: design an API maybe implemented as a PHP class that handles
the basic functionality that you want to implment. Then you may choose
an initial approach having in mind that in the future you may evolve
your API implementation that address better those items. That way you
won't have to rewrite your application because your API is the same.

Manuel Lemos

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to