Lazor, Ed wrote:
>Use sessions. Create a user_id and pass that as a session variable rather
>than the user's actual login and password.
>On my site, when a user logs in, their password is encrypted using md5() and
>the username and encrypted password is then passed from page to page using
>hidden form inputs (clicking on a link submits the form using POST).
>Does anyone have any comments on this method e.g. security wise? I know I
>could use sessions or cookies but is it relly necessary?
This is good advice. There are many reasons why, but here's one off the
top of my head:
When you pass the encrypted password around, you can pretty much
consider it in the public domain, right? Well, what happens when someone
else takes that encrypted password (why bother decrypting it?) and
presents it back to your site? That's right; they're in. This is called
a presentation attack, and you'd be amazed at how many sites are
vulnerable to this (I wrote an article a while back about how to break
into MS Passport using this technique).
How do sessions help against this? Well, they don't solve the problem
entirely, of course, but the unique ID you pass around won't be the same
unique ID *every* time that user visits the site. So, you at least have
a good chance of making the window of time that an imposter has to work
with very small.
Security is all about making things really hard for potential attackers.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php