[PHP] Dumb session / cookie / password questions
I am a little confused about storing stuff in cookies/sessions and how to prevent spoofing of them. A user logs in, his e-mail address or user id and password(md5'ed) is checked against my database. Assuming it matches, I then set a cookie with the users id + email. What is to stop someone from spoofing that cookie? I obviously don't want to put the password in a cookie .. can someone point me in the direction of an article about this? I've searched around, but I'm not finding stuff about in a preventing spoofing / security aspect. Thanks, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dumb session / cookie / password questions
What I have done in the past is create a session variable that tells me that the person using that session is valid. It's really really hard to spoof a session variable. I did it this way after awhile since the original way that I did it was by checking their username/password in the session on every page hit.. Which when I have over a million hits per day begins to wear on the database.. So far using a session variable is the best way that I have found. Cheers! Rick Too much caution is bad for you. By avoiding things you fear, you may let yourself in for unhappy consequences. It is usually wiser to stand up to a scary-seeming experience and walk right into it, risking the bruises as hard knocks. You are likely to find it is not as tough as you had thought. Or you may find it plenty tough, but also discover you have what it takes to handle it. - Norman Vincent Peale From: Chad Day [EMAIL PROTECTED] Date: Wed, 10 Jul 2002 16:09:53 -0400 To: [EMAIL PROTECTED] Subject: [PHP] Dumb session / cookie / password questions I am a little confused about storing stuff in cookies/sessions and how to prevent spoofing of them. A user logs in, his e-mail address or user id and password(md5'ed) is checked against my database. Assuming it matches, I then set a cookie with the users id + email. What is to stop someone from spoofing that cookie? I obviously don't want to put the password in a cookie .. can someone point me in the direction of an article about this? I've searched around, but I'm not finding stuff about in a preventing spoofing / security aspect. Thanks, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dumb session / cookie / password questions
Firstly, you should ALWAYS use an encryption algorithm for passwords. For my site, I used md5() and match with that. That way, even if someone does get a hold of the encrypted password, it's not in their best interest (or maybe it is, if they're bored) to crack it. I haven't testing the following out, but it might work if someone wants to be a smartass and type out index.php?user=admingodpass=adminpass[EMAIL PROTECTED] in which they know the info. ?php if(!empty($_GET)) { header(Location: $PHP_SELF); } ? Putting that at the top of the page would check to see if any information was sent to the page from the $_GET superglobal, and if it was, reload the page without any URL extensions. It sounds good in theory, though I haven't tested it, so it might not work as I think it should (it NEVER does!). My $20.00 (big mouth) Martin Clifford http://www.completesource.net (Now Open!) Chad Day [EMAIL PROTECTED] 07/10/02 04:09PM I am a little confused about storing stuff in cookies/sessions and how to prevent spoofing of them. A user logs in, his e-mail address or user id and password(md5'ed) is checked against my database. Assuming it matches, I then set a cookie with the users id + email. What is to stop someone from spoofing that cookie? I obviously don't want to put the password in a cookie .. can someone point me in the direction of an article about this? I've searched around, but I'm not finding stuff about in a preventing spoofing / security aspect. Thanks, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dumb session / cookie / password questions
ðÒÉ×ÅÔ! Martin Clifford wrote: Firstly, you should ALWAYS use an encryption algorithm for passwords. For my site, I used md5() and match with that. That way, even if someone does get a hold of the encrypted password, it's not in their best interest (or maybe it is, if they're bored) to crack it. NO need for decryption. I can just present it as is and your soft's gonna drink it (and may burp afterwards) :) Putting that at the top of the page would check to see if any information was sent to the page from the $_GET superglobal, and if it was, reload the page without any URL extensions. Using Register globals off would do the same without any code add-on. And it *does* work, as many a user lately found out, in anguish for his/her vanished parameters/sessions/cookies/umbrellas and girlfriends :) Yet it cannot block your MD5 stuff from being presented back to you on the right channel (not so difficult to guess, it's three channels in all). If you don't hold CC numbers, military stuff, bank transactions or mafia secrets I can hardly see any need for paranoia (in case you do MD5ing is a *poor* solution). Having your CC processed by a secure third party will cost you much less than implementing a 90% secure system from scratch. When you have nothing to hide you also have nothing to fear :) Think about it. Most users exchange their user/passwords in emails. Hey! Wanna see what discount prices I got from that site, dude? Look, user Mickey pass MOuse (capital O, mind you, I love security, ya know). And don't tell anyone, okay? Users do it all the time. And sites, too. How many automated mails containing right the passwords you are trying to protect you'll be forced to send along the net for the sake of customer satisfaction? Most of those forgot your password? Tell us what email you gave us, we'll do the rest! will be received on public email servers, because nobody in his mind would send a commercial site his real email (I canceled my first yahoo account when I was already receiving some 50 commercials a day, mostly about penis enlargement and marijuana replacers). Those emails will remain on the account for ages, just in case the user forgot the pass again. Would you rate yahoo as a secure site? Any time I walk into a computer club while I'm on vacation I end up into somebody else's yahoo/ICQ or whatever account... I am usually trying to log out from the session that was left open. Maybe because I am too stupid to understand yahoo's security policy LOL That was just for the sake of throwing my 2 kopeki in before going to sleep (we are in no euro/dollar/sterling area either :) ðÏËÁ áÌØÂÅÒÔÏ ëÉÅ× -_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_- LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu? lOrD i'M sHiNiNg... YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE tHe TeSt, YeS iT iS ThE tEsT, yEs It Is tHe TeSt, YeS iT iS ThE tEsT, yEs It Is... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php