Re: [PHP] Secure user authentication

2002-05-06 Thread Pedro Pontes
749 494 : QUT Student :: 04475739 ::: - Original Message - From: Pedro Pontes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 12:33 AM Subject: Re: [PHP] Secure user authentication First of all, thank you for you

Re: [PHP] Secure user authentication

2002-05-04 Thread The_RadiX
:: 04475739 ::: - Original Message - From: Pedro Pontes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 12:33 AM Subject: Re: [PHP] Secure user authentication First of all, thank you for your devote answer. The method I was thinking

RE: [PHP] Secure user authentication

2002-05-03 Thread Jon Haworth
Hi, but the password is put through my own fairly unbreakable (yes.. I am serious) password key system.. SO basically you'll end up with a nice 32 char string which is QUITE safe to pass around and the chance anyone's gonna decrypt it IMHO is about zilch, And all you have to do, is when

RE: [PHP] Secure user authentication

2002-05-03 Thread Brian McGarvie
another option is to use SSL for the login page/sensitive parts of the site that deal with any transfer of 'sensitive' data? -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED]] Sent: 03 May 2002 15:08 To: 'The_RadiX'; [EMAIL PROTECTED] Subject: RE: [PHP] Secure user

Re: [PHP] Secure user authentication

2002-05-03 Thread The_RadiX
] : ABN: 64 235 749 494 : QUT Student :: 04475739 ::: - Original Message - From: Jon Haworth [EMAIL PROTECTED] To: 'The_RadiX' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 12:07 AM Subject: RE: [PHP] Secure user authentication

Re: [PHP] Secure user authentication

2002-05-03 Thread The_RadiX
. The_RadiX : [EMAIL PROTECTED] : ABN: 64 235 749 494 : QUT Student :: 04475739 ::: - Original Message - From: Brian McGarvie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 12:12 AM Subject: RE: [PHP] Secure user authentication

Re: [PHP] Secure user authentication

2002-05-03 Thread Pedro Pontes
First of all, thank you for your devote answer. The method I was thinking about before was to pass the md5 hash of the password around, as the passwords are already md5'ed in the DB. Your method seems more secure as you use a totally spiced-up and personalized encryption engine. But, the main

RE: [PHP] Secure user authentication

2002-05-03 Thread Brian McGarvie
]] Sent: 03 May 2002 15:14 To: [EMAIL PROTECTED]; Brian McGarvie Subject: Re: [PHP] Secure user authentication that is a good suggestion.. Using SSL to perform sensitive logins.. and then using some sort of hidden or encrypted passwords in your sessions should provide a nice level of security

RE: [PHP] Secure user authentication

2002-05-03 Thread Jon Haworth
Hi, The method I was thinking about before was to pass the md5 hash of the password around, as the passwords are already md5'ed in the DB. Your method seems more secure as you use a totally spiced-up and personalized encryption engine. *boggle* Why are you passing the password around,

Re: [PHP] Secure user authentication

2002-05-03 Thread Pedro Pontes
Hi Jon, I am considering doing that because any user can create a simple PHP script with his/her object with the authenticated flag set to authorized, register that object with the session and then link to any of my pages, which if they don't make any kind of password test, they will unsuspectly

Re: [PHP] Secure user authentication

2002-05-03 Thread Miguel Cruz
This would only work if some other user is able to create files that the web server thinks are part of your domain (since the session cookies are domain-specific). Sounds to me like your problem here is severe server misconfiguration. If your server environment is that insecure, then worrying

Re: [PHP] Secure user authentication

2002-05-03 Thread Michael Kimsal
Pedro Pontes wrote: Hi Jon, I am considering doing that because any user can create a simple PHP script with his/her object with the authenticated flag set to authorized, register that object with the session and then link to any of my pages, which if they don't make any kind of password