[PHP] Re: Password storage system
(This is a bit off topic, but I though might be helpful to some developers, it deals more with security concepts than PHP per se) I may be going out on a limb here, but I doubt you'll find something in the GPL/open source domain. we've built our own and pretty much does what you've described (used to work for a bank I did) If I could help to put you on the right track in terms of design, what you'll need is not just a password system, sounds like you want a authority system, with groups roles. You really want to design a system that relies on resource objects for authentication and authorisation. Also to complete the security jargon, encryption and non-repudiation (mostly means logging auditing) If you want to look at something that W3C is working on, try SAML, the security assertion markup lang... but it's in draft last time I looked, and that deals with authority and authentication. and it's all markup-ish and xml-ish of course ;-) There should be some tools based on SAML out there, I haven't looked, possibly not in PHP though. Back to building it: Think of authentication not only as a passwords, there's PIN authentication, there's token authentication, (one use tokens or multi-use tokens) and also digital certs, smart cards, RPGs (random password/pin gens ala SafeWord), etc (ie, password types) Then you need to ask, can a user with the right password access this resource? Does he need a password AND a cert? Does this bank account need two authorisers to sign off before you allow the money transfer? Of course one way crypt passwords are a must, but that's so simple it's a given. The above are just some things to think about before you embark on you quest to find the solution :) And it really depends what you want to do and how robust your solution needs to be. I can give you a few pointers if you want to take the discussion offline and email me. Daevid Vincent [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm in search of an 'enterprise level' password storage system. I have looked at phpMyPass and it looks promising, but the demo doesn't seem to have everything I want. http://freshmeat.net/releases/127316/ While this one says v2.0 http://www.phpmypass.paniris.com/ Says 1.0 ?? I need it to be multiuser, have different security levels/access, encrypt and decrypt on the fly (phpmypass has all the passwords in the rendered HTML page :-( ), grouping of passwords (i.e. 'internal servers', websites, banks, clients sites, personal, etc). Ideally it should use mod_auth_mysql for security. The storage should be encrypted so that even root can't see the passwords in the database without the decryption key. Perhaps use a strong crypto algorithm for the important fields, not just the pw. I'd like to store: common name, url, username, pw, notes, incept date, last mod date at least. I could build this myself, or I could take phpMyPass and run with it, but I thought I'd see if there were anything else out there before I build this. http://daevid.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] load the PHP script last on the page
I agree with Chris' method, but if you don't have cron, then what I do is a page-based cache. Since weather does not change with every page hit, you could store the parsed page inside a database, or even write it to a flat file, so if the page is hit 100 times an hour, and you do an hourly refresh on the cached version, you only get 1 slow page per hour, instead of 100. if the page gets hit 1000 times... you get the idea. You could check timestamps of the file (using file based caching) or add a timestamp field in your sql table. This sort of caching mechanism is used quite extensively on large sites, but it's easy enough to implement for smaller sites too. Of course, what you're doing is totally illegal, unless you have an agreement with msn to scrape their site g I know we don't like microsoft, but the law's the law ;-) Chris W. Parker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] DougD mailto:[EMAIL PROTECTED] on Thursday, July 31, 2003 11:18 AM said: If it were possible I want the include to occur after the rest of the page is loaded. Maybe instead of including the file that does the processing and waiting forever for it to finish, you might consider setting up that same page as a cron job and have it create another page on your sever that you can quickly read/parse into your web page. You could have the cron job run every 1/2/3/4/5/10/15 minutes depending on how accurate it needs to be. Each time the page is loaded by the browser the server will grab the latest version and display it. hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: splitting content into pages
It depends on how complex your content is. I've had a few unsuccessful attempts at this as it gets too messy. Assuming your content contains html (like news), it means you have to ignore tags, but your tags may have images, in them, etc etc, further adding to your alignment woes. Also, splitting tags may mean that a tag may be without a /tag on the same page. Doing it automatically is just too cumbersome. One technique I employ now is using a !--PAGE-- comment tag inside the html content, and then split the page using this delimiter. It works quite well, allows me to break within a table or if the table runs over, it means I have to close the table and open another one. Ultimately, it's not ideal as it requires manual labour, but if you're dealing with HTML content, that's the only way. It also allows you to remassage your pages relatively easily if you're swapping over templates. The proper way to do it is if you're original content is XML, then you would write XSLT to chunk up the pages. I just assume not because it's unlikely that you would. This problem of decoupling presentation with representation is hard to avoid if your original content is already coupled to pre-existing presentation. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hi there , i have an issue trying to split content into pages , we have a popup with content and a background image with a set height , when there is more content the background repeats , theoretically i'd want to split the content into pages after a given length or line length or where it meets the background image height how can i do this ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Apache logs to keep $_POST values
no, that's (partially) the idea of a POST. Eg, if a login script was done under SSL using a http GET, even if you were using 1 way crypt on the password, the cleartext would still be logged, which is undesirable. besides, how would you log a multi-part mime upload file in POST? The only way I can think of is if you write your own/find an apache mod. (which ignores multi-part mimes) Bogdan Albei [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is there any way to log the $_POST values passed to the PHP scripts in Apache's access log? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] setting Apache's $REMOTE_USER externally
(re-post into php.general) I think this is an Apache question more than PHP, but I'll give it a whirl. Aside from the new apache_setenv in 4.2RC3+ (and I haven't tried), is there a way to set $REMOTE_USER from PHP? Let me explain: I have an external (ie, custom) authentication process (hate basic auth) but I want the web logs to reflect the user visits (ie, I think from memory REMOTE_USER is the var that gets logged) In any case, after authentication, I'd like to set $REMOTE_USER and fool Apache into thinking that it's done a basic auth and will now log users as per basic auth. I've worked on an iPlanet server that's achieved this, but not without a custom built NSAPI module (in this case would be Apache API) I know it's pretty specific but if you can help at all I'd appreciate it... My next step is hacking out an apache module, but that's a.. ahh... not so preferred approach ;-) Regds, Sek-Mun Sek-Mun Wong Connecting Space Sydney, Australia -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
