First of all, thank you for your devote answer. The method I was thinking about before was to pass the md5 hash of the password around, as the passwords are already md5'ed in the DB. Your method seems more secure as you use a totally spiced-up and personalized encryption engine.
But, the main question remains, I think. If you pass your crypted password around, then, in each page, you must check it agains't the database entry with a SIMPLE "equals" test. So if a user happens to get that crypted value of the password (from a temporary file on the server, for example), then all the little devil has to do is to create a dummy session user object, or in your case, array, set its password value to the stolen crypted hash and then link freely to any of your pages. Am I right? Thanks again. -- Pedro Alberto Pontes "The_radix" <[EMAIL PROTECTED]> wrote in message 003601c1f2aa$6120dbb0$f86086cb@oracle">news:003601c1f2aa$6120dbb0$f86086cb@oracle... > Hmm yes good question.. > > Security was (still is) a major for my organisation's site and I did > something a little unique and robust.. > > > I love programming and I hate "stealing" (some call it borrowing) other > programmer's scripts/code from the web.. therefore I write it _all_ myself.. > > > Trust me.. Sometimes this is a dumb attitude to take such as when I created > my first Perl discussion forum.. still running I think > (http://the-radix.hypermart.net i think) and that consisted of this huge > perl system to maintain the files etc.. for members and the forum.. > > > Anyway! off the sub now.. > > > I used sessions and pass around the array of columns for that member/user .. > but the password is put through my own fairly unbreakable (yes.. I am > serious) password key system.. > > > An idea to make your own safe keys to pass them around or use for > authenticating is simple maths and a crypt() or my preferred: md5() > function.. > > > I simply do some lovely maths like for each char of pword I loop through > them and append them onto the entire pword string plus the length, get the > md5 of that.. then md5 that md5 with the md5 of the previous result and then > do some maths, pick some specified characters (like every 3rd or whatever > you wish) .. strrev( reverse the string) md5 that again, all md5'ed again.. > > > :) haha, you get the idea.. > > > SO basically you'll end up with a nice 32 char string which is QUITE safe to > pass around and the chance anyone's gonna decrypt it IMHO is about zilch, > buckley's, zut, nil, null, zero.. > > > And all you have to do, is when they login once, just run the password they > entered through this "algorithm" and check it against the stored algo'd > password.. > > Ah yes that's the next thing.. the DB passwords will also have to be proc. > using your algorithm.. > > So it's kinda like a key security idea.. you are not meant to decrypt md5 > hashes.. instead recreate it using what you are supplied and then compare > both hashes.. > > > Simple :P > > > > > Ok hope that helps > > ::::::::::::::::::::::::::::::::::::::::::: > : Julien Bonastre [The-Spectrum.org CEO] > : A.K.A. The_RadiX > : [EMAIL PROTECTED] > : ABN: 64 235 749 494 > : QUT Student :: 04475739 > ::::::::::::::::::::::::::::::::::::::::::: > ----- Original Message ----- > From: "Pedro Pontes" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, May 03, 2002 10:19 PM > Subject: [PHP] Secure user authentication > > > > Hello, > > > > I'm using the regular user authentication method, that is, check the > > specified login/pass agains't the entries in the DB, if it is valid, > create > > the user object and register it with the section. > > > > How can we prevent any user from creating a simple PHP page that creates a > > simmilar user object, registers it with the session and then links to my > > pages? One way would be to check, in each page, for the password in the > > session user object and match it with the DB entry, but storing the > password > > in the session is not advisable, as other users in the host system may > have > > access to that information. > > > > Please advise. > > > > Thank you ver much for your time. > > > > -- > > > > > > Pedro Alberto Pontes > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
