[PHP] Re: [PHP-DB] Re: Definitive answer for large scale registration/authentication
Hello, Brad Hubbard wrote: > > On Tue, 16 Apr 2002 14:51, Manuel Lemos did align ASCII characters thusly: > > > > then stored in cookie. The security weakness of this method is that if > > > > the secret key leaks, hackers may use to forge new sessions. > > > > > > Is this documented anywhere? > > Anyway what part didn't you > > understand? > > I think I understand all of it. Serialization of a session (or session > object) is fairly straightforward and I know how to store that in a cookie. I > was just hoping there was a "cookbook" out there. Don't have any classes on > your site that do this do you? ;-) Oh, sure, lots of them. It just depends on what exactly you would like to see. Why don't you just take a look around to see if you find what you want? Here you may see all in there about authentication and sessions. http://www.phpclasses.org/browse.html/class/21.html Actually it could be simpler like this: http://www.phpclasses.org/sessions http://www.phpclasses.org/cookies http://www.phpclasses.org/authentication As for cookbook, you may want to take a look at Sterling's PHP Cookbook. Sterling is "nuts", but the book is good and has an whole chapter on sessions and another on LDAP which maybe an option depending on exactly you want to do. http://www.phpclasses.org/products.html/id/0672319241.html Talking about books, the new Professional PHP 4 Programming is also a very good book that addresses these issues. I have just reviewed it and all I can say is that WROX books really rocks! :-) http://www.phpclasses.org/products.html/id/1861006918.html > > > > accesses to just one after the server is restarted. This is probably > > > > the one you want to use as long you know how to deal with shared memory > > > > and semaphores. > > > > > > Is this documented anywhere? > > > > Probably only in my mind . :-) > > Can I borrow it I'm afraid I need it now. Try again in a few decades maybe. :-) Seriously, there is no big deal about it. It was also mentioned that PHPlib seems to do that already, although I never tried it. > > I guess you mean HTTP based authentication. > > Yes. > > > No, AFAIK that is very > > unsecure because you can't end a "session" because browsers cache > > authenticated passwords and only drop them (of they do, IE may not do > > it) when you quit your browser. If you leave your browser terminal for > > some time, somebody may come in and take advantage of your account > > privileges. > > The physical security of the users machine is their responsibility. I'm > looking for good security, ease of implementation, and scalability. > > At the moment it seems to be a case of "pick any two". Suggestion: design an API maybe implemented as a PHP class that handles the basic functionality that you want to implment. Then you may choose an initial approach having in mind that in the future you may evolve your API implementation that address better those items. That way you won't have to rewrite your application because your API is the same. Regards, Manuel Lemos -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DB] Re: Definitive answer for large scale registration/authentication
On Tue, 16 Apr 2002 14:51, Manuel Lemos did align ASCII characters thusly: > > > then stored in cookie. The security weakness of this method is that if > > > the secret key leaks, hackers may use to forge new sessions. > > > > Is this documented anywhere? > Anyway what part didn't you > understand? I think I understand all of it. Serialization of a session (or session object) is fairly straightforward and I know how to store that in a cookie. I was just hoping there was a "cookbook" out there. Don't have any classes on your site that do this do you? ;-) > > > accesses to just one after the server is restarted. This is probably > > > the one you want to use as long you know how to deal with shared memory > > > and semaphores. > > > > Is this documented anywhere? > > Probably only in my mind . :-) Can I borrow it > I guess you mean HTTP based authentication. Yes. > No, AFAIK that is very > unsecure because you can't end a "session" because browsers cache > authenticated passwords and only drop them (of they do, IE may not do > it) when you quit your browser. If you leave your browser terminal for > some time, somebody may come in and take advantage of your account > privileges. The physical security of the users machine is their responsibility. I'm looking for good security, ease of implementation, and scalability. At the moment it seems to be a case of "pick any two". Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [PHP-DB] Re: Definitive answer for large scale registration/authentication
On Tue, 16 Apr 2002 14:59, Richard Archer did align ASCII characters thusly: > Aah, but does it scale? By most aqccounts. no :-( > And do you want to run SSL for all page views? > Yes. Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DB] Re: Definitive answer for large scale registration/authentication
Hello, Brad Hubbard wrote: > > On Tue, 16 Apr 2002 14:01, Manuel Lemos did align ASCII characters thusly: > > Probably the fastest way to keep session profile information is by > > serializing the data array into a string that will be encrypted and then > > stored in cookie. The security weakness of this method is that if the > > secret key leaks, hackers may use to forge new sessions. > > Is this documented anywhere? Yes, but where I know I can't tell you because it is part of a proprietary system. Maybe somebody else did it like this and documented somewhere but I have no knowledge of that. Anyway what part didn't you understand? > > A more secure but eventually less scalable method is to store the > > session data in a shared memory cache, so you minimize database accesses > > to just one after the server is restarted. This is probably the one you > > want to use as long you know how to deal with shared memory and > > semaphores. > > Is this documented anywhere? Probably only in my mind . :-) > My understanding was that htaccess authentication was more secure that > session based because of the porblems of session hijacking??? I guess you mean HTTP based authentication. No, AFAIK that is very unsecure because you can't end a "session" because browsers cache authenticated passwords and only drop them (of they do, IE may not do it) when you quit your browser. If you leave your browser terminal for some time, somebody may come in and take advantage of your account privileges. Regards, Manuel Lemos -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DB] Re: Definitive answer for large scale registration/authentication
On Tue, 16 Apr 2002 14:01, Manuel Lemos did align ASCII characters thusly: > Probably the fastest way to keep session profile information is by > serializing the data array into a string that will be encrypted and then > stored in cookie. The security weakness of this method is that if the > secret key leaks, hackers may use to forge new sessions. Is this documented anywhere? > A more secure but eventually less scalable method is to store the > session data in a shared memory cache, so you minimize database accesses > to just one after the server is restarted. This is probably the one you > want to use as long you know how to deal with shared memory and > semaphores. Is this documented anywhere? My understanding was that htaccess authentication was more secure that session based because of the porblems of session hijacking??? Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php