[PHP] Storing passwords in session variables
Hi, I have a form that has username and password fields. While the form exists and contains various other fields the most common mode of operation is to have the form auto submit if it has enough arguments in the URL. So, someone is using an external program that has links wired as such: test.php?start=1end=2this=blahthat=arghusername=userpassword=pass and when they hit that URL it sees it has enough arguments, fires and returns the result. Client - Server is encrypted, can I toss these into session variables? The user could be coming from multiple frontends and it would be nice to forgo the user/pass in the url; give the username focus on the first visit let them drop their creds and then store them into the session so with each subsequent hit they can just get their results. Make sense? Note: I need to pass the credentials to an external app each time a request is made. Thanks. -- Paul Halliday http://www.pintumbler.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Storing passwords in session variables
On Tue, 2012-12-11 at 08:46 -0400, Paul Halliday wrote: Hi, I have a form that has username and password fields. While the form exists and contains various other fields the most common mode of operation is to have the form auto submit if it has enough arguments in the URL. So, someone is using an external program that has links wired as such: test.php?start=1end=2this=blahthat=arghusername=userpassword=pass and when they hit that URL it sees it has enough arguments, fires and returns the result. Client - Server is encrypted, can I toss these into session variables? The user could be coming from multiple frontends and it would be nice to forgo the user/pass in the url; give the username focus on the first visit let them drop their creds and then store them into the session so with each subsequent hit they can just get their results. Make sense? Note: I need to pass the credentials to an external app each time a request is made. Thanks. -- Paul Halliday http://www.pintumbler.org/ It looks like you're trying to re-invent authorisation procedures. Typically, the first request logs a client in and retrieves a hashed key, which is then used in all subsequent requests so that the server can correctly verify the client. You can do this the way you suggested with the session, but you must ensure that the session id is passed across to your script by each of the connecting clients. That will be done either as part of the head request, or as an extra parameter in the URL. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Storing passwords in session variables
On Tue, Dec 11, 2012 at 9:02 AM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Tue, 2012-12-11 at 08:46 -0400, Paul Halliday wrote: Hi, I have a form that has username and password fields. While the form exists and contains various other fields the most common mode of operation is to have the form auto submit if it has enough arguments in the URL. So, someone is using an external program that has links wired as such: test.php?start=1end=2this=blahthat=arghusername=userpassword=pass and when they hit that URL it sees it has enough arguments, fires and returns the result. Client - Server is encrypted, can I toss these into session variables? The user could be coming from multiple frontends and it would be nice to forgo the user/pass in the url; give the username focus on the first visit let them drop their creds and then store them into the session so with each subsequent hit they can just get their results. Make sense? Note: I need to pass the credentials to an external app each time a request is made. Thanks. -- Paul Hallidayhttp://www.pintumbler.org/ It looks like you're trying to re-invent authorisation procedures. Typically, the first request logs a client in and retrieves a hashed key, which is then used in all subsequent requests so that the server can correctly verify the client. You can do this the way you suggested with the session, but you must ensure that the session id is passed across to your script by each of the connecting clients. That will be done either as part of the head request, or as an extra parameter in the URL. Thanks, Ash http://www.ashleysheridan.co.uk I understand that. The username/pass are NOT for authentication to the form, they are being passed to exec(); So, I guess in this context they are just arguments. Providing I handle the session properly, does it make sense to toss these arguments into session variables?
Re: [PHP] Storing passwords in session variables
On Tue, 2012-12-11 at 08:58 -0400, Paul Halliday wrote: On Tue, Dec 11, 2012 at 9:02 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Tue, 2012-12-11 at 08:46 -0400, Paul Halliday wrote: Hi, I have a form that has username and password fields. While the form exists and contains various other fields the most common mode of operation is to have the form auto submit if it has enough arguments in the URL. So, someone is using an external program that has links wired as such: test.php?start=1end=2this=blahthat=arghusername=userpassword=pass and when they hit that URL it sees it has enough arguments, fires and returns the result. Client - Server is encrypted, can I toss these into session variables? The user could be coming from multiple frontends and it would be nice to forgo the user/pass in the url; give the username focus on the first visit let them drop their creds and then store them into the session so with each subsequent hit they can just get their results. Make sense? Note: I need to pass the credentials to an external app each time a request is made. Thanks. -- Paul Halliday http://www.pintumbler.org/ It looks like you're trying to re-invent authorisation procedures. Typically, the first request logs a client in and retrieves a hashed key, which is then used in all subsequent requests so that the server can correctly verify the client. You can do this the way you suggested with the session, but you must ensure that the session id is passed across to your script by each of the connecting clients. That will be done either as part of the head request, or as an extra parameter in the URL. Thanks, Ash http://www.ashleysheridan.co.uk I understand that. The username/pass are NOT for authentication to the form, they are being passed to exec(); I would say this is the username/password being used precisely for authentication, otherwise you wouldn't need to pass them across to exec() So, I guess in this context they are just arguments. Providing I handle the session properly, does it make sense to toss these arguments into session variables? You can use the session, but the only way your script will know what session to use is if the clients are sending the session id as part of their request. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Storing passwords in session variables
On Tue, Dec 11, 2012 at 9:12 AM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Tue, 2012-12-11 at 08:58 -0400, Paul Halliday wrote: On Tue, Dec 11, 2012 at 9:02 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Tue, 2012-12-11 at 08:46 -0400, Paul Halliday wrote: Hi, I have a form that has username and password fields. While the form exists and contains various other fields the most common mode of operation is to have the form auto submit if it has enough arguments in the URL. So, someone is using an external program that has links wired as such: test.php?start=1end=2this=blahthat=arghusername=userpassword=pass and when they hit that URL it sees it has enough arguments, fires and returns the result. Client - Server is encrypted, can I toss these into session variables? The user could be coming from multiple frontends and it would be nice to forgo the user/pass in the url; give the username focus on the first visit let them drop their creds and then store them into the session so with each subsequent hit they can just get their results. Make sense? Note: I need to pass the credentials to an external app each time a request is made. Thanks. -- Paul Hallidayhttp://www.pintumbler.org/ It looks like you're trying to re-invent authorisation procedures. Typically, the first request logs a client in and retrieves a hashed key, which is then used in all subsequent requests so that the server can correctly verify the client. You can do this the way you suggested with the session, but you must ensure that the session id is passed across to your script by each of the connecting clients. That will be done either as part of the head request, or as an extra parameter in the URL. Thanks, Ash http://www.ashleysheridan.co.uk I understand that. The username/pass are NOT for authentication to the form, they are being passed to exec(); I would say this is the username/password being used precisely for authentication, otherwise you wouldn't need to pass them across to exec() So, I guess in this context they are just arguments. Providing I handle the session properly, does it make sense to toss these arguments into session variables? You can use the session, but the only way your script will know what session to use is if the clients are sending the session id as part of their request. Thanks, Ash http://www.ashleysheridan.co.uk Thanks :) I see the flaw in my reasoning. Just needed to talk about it!
Re: [PHP] Storing passwords in session variables
On 2012/12/11 2:46 PM, Paul Halliday wrote: Client - Server is encrypted, can I toss these into session variables? Do note your full url (including user=xxpass=yy will be logged in apache logs, and depending on configuration in squid logs in-between too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Storing passwords in session variables
Am 11.12.2012 20:51, schrieb Peet Grobler: On 2012/12/11 2:46 PM, Paul Halliday wrote: Client - Server is encrypted, can I toss these into session variables? Do note your full url (including user=xxpass=yy will be logged in apache logs, and depending on configuration in squid logs in-between too. Normally you would pass credential as post variables or even better use http auth for that. (read about http code 401 How to send in HTTP: http://en.wikipedia.org/wiki/Basic_access_authentication Read in auth vars in PHP: http://php.net/manual/de/features.http-auth.php -- Marco Behnke Dipl. Informatiker (FH), SAE Audio Engineer Zend Certified Engineer PHP 5.3 Tel.: 0174 / 9722336 e-Mail: ma...@behnke.biz Softwaretechnik Behnke Heinrich-Heine-Str. 7D 21218 Seevetal http://www.behnke.biz smime.p7s Description: S/MIME Kryptografische Unterschrift