Sure, why not? Users can't create session variables (unless you're
on a
virtual server...)
... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
If we're on a virtual server, why can't I just open the
session.save_path with PHP and read
on 17/07/02 6:51 PM, John Holmes ([EMAIL PROTECTED]) wrote:
... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
Is this particular vulnerability only in existence when the server is pretty
open? I mean, on my particular host, I can't FTP
... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
Is this particular vulnerability only in existence when the server is
pretty
open? I mean, on my particular host, I can't FTP to anything outside
my
docroot, and I can't use SSH,
snip
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verify they are authenticated as
they move throughout the site.
/snip
This solution is no garantuee that the authenticated user is in control
during that session. The only
Anyone? Can someone at least point me to some web article for
recommendations? I saw some examples where a password variable was stored,
but is that really safe (as long as I MD5 it first?)
Chad
-Original Message-
From: Chad Day [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 16, 2002
What I'm looking to do is when a user logs in, I start up the
session.. I
then have the registered session var to verify they are
authenticated as
they move throughout the site.
Now, when they close the browser and come back, I want them
to still be authenticated.
I don't think this
based on any of the user data.
www.php.net/uniqid
---John Holmes...
- Original Message -
From: Chad Day [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 16, 2002 3:30 PM
Subject: RE: [PHP] Sessions / logins / cookies / security
Anyone? Can someone at least point me to some web
Chad Day wrote:
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verify they are authenticated as
they move throughout the site.
Now, when they close the browser and come back, I want them to still be
authenticated. Obviously, I
On my sites, I have a check box next to the login form which says remember
me. If they tick this box, and they userid/password is valid, I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
When
So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If
there's nothing there, they aren't logged in as far as I can tell. On
every
page I validate the uid and pwd against the database, so the only way
you
could fake being another user is to know the uid AND md5()'d pwd.
Or
On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote:
I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
OUCH! Sending the password back out to the net is a scarry prospect.
--Dan
--
on 17/07/02 11:11 AM, Analysis Solutions
([EMAIL PROTECTED]) wrote:
On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote:
I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
OUCH!
on 17/07/02 11:11 AM, John Holmes ([EMAIL PROTECTED]) wrote:
Or steal it. :)
I hope you have checked your site for any cross-site scripting
vulnerabilities. This is exactly where vulnerabilities like this come
into play...
Interesting -- I'm only a few days away from launching this...
Or steal it. :)
I hope you have checked your site for any cross-site scripting
vulnerabilities. This is exactly where vulnerabilities like this
come
into play...
Interesting -- I'm only a few days away from launching this... could
you
elaborate on the potential risk, or point me to
Thanks heaps John,
So as a basic rule, having a uid and pwd stored as session variables is NOT
the problem, but storing the uid and/or pwd in a cookie on the browser is
just plain asking for it :)
So, how do you implement a remember me safely?
Setting JUST the uid in a cookie prevents people
So as a basic rule, having a uid and pwd stored as session variables
is
NOT
the problem, but storing the uid and/or pwd in a cookie on the browser
is
just plain asking for it :)
You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why
on 17/07/02 12:35 PM, John Holmes ([EMAIL PROTECTED]) wrote:
You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why carry around the username and
password??
Well, I guess it's because I started with someone else's script, and built
my
You shouldn't even have to do this. Just set a
$_SESSION['logged_on']
variable to true and check for that. Why carry around the username
and
password??
Well, I guess it's because I started with someone else's script, and
built
my own from there. Not being a security expert, I assumed
on 17/07/02 1:05 PM, John Holmes ([EMAIL PROTECTED]) wrote:
Sure, why not? Users can't create session variables (unless you're on a
virtual server...)
... and I am -- A shared host server that is.
Justin French
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 16, 2002 4:51 PM
To: Chad Day; [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions / logins / cookies / security
There really isn't a good way to do this, I think.
Any time you're taking just a cookie, and using that data to assume
who
the
user
20 matches
Mail list logo