>What I'm looking to do is when a user logs in, I start up the session.. I
>then have the registered session var to verify they are authenticated as
>they move throughout the site.
>
This solution is no garantuee that the authenticated user is in control
during that session. The only thing yo
> >> ... and I am -- A shared host server that is.
> >
> > Now I'm not sure on this, I haven't tested it. Has anyone?
>
> Is this particular vulnerability only in existence when the server is
> pretty
> open? I mean, on my particular host, I can't FTP to anything outside
my
> docroot, and I can'
on 17/07/02 6:51 PM, John Holmes ([EMAIL PROTECTED]) wrote:
>> ... and I am -- A shared host server that is.
>
> Now I'm not sure on this, I haven't tested it. Has anyone?
Is this particular vulnerability only in existence when the server is pretty
open? I mean, on my particular host, I can't
> > Sure, why not? Users can't create session variables (unless you're
on a
> > virtual server...)
>
> ... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
If we're on a virtual server, why can't I just open the
session.save_path with PHP and
n W. Holmes [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 16, 2002 4:51 PM
> To: Chad Day; [EMAIL PROTECTED]
> Subject: Re: [PHP] Sessions / logins / cookies / security
>
> There really isn't a good way to do this, I think.
>
> Any time you're taking just a cooki
on 17/07/02 1:05 PM, John Holmes ([EMAIL PROTECTED]) wrote:
> Sure, why not? Users can't create session variables (unless you're on a
> virtual server...)
... and I am -- A shared host server that is.
Justin French
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: htt
> > You shouldn't even have to do this. Just set a
$_SESSION['logged_on']
> > variable to true and check for that. Why carry around the username
and
> > password??
>
> Well, I guess it's because I started with someone else's script, and
built
> my own from there. Not being a security expert, I a
on 17/07/02 12:35 PM, John Holmes ([EMAIL PROTECTED]) wrote:
> You shouldn't even have to do this. Just set a $_SESSION['logged_on']
> variable to true and check for that. Why carry around the username and
> password??
Well, I guess it's because I started with someone else's script, and built
my
> So as a basic rule, having a uid and pwd stored as session variables
is
> NOT
> the problem, but storing the uid and/or pwd in a cookie on the browser
is
> just plain asking for it :)
You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why
Thanks heaps John,
So as a basic rule, having a uid and pwd stored as session variables is NOT
the problem, but storing the uid and/or pwd in a cookie on the browser is
just plain asking for it :)
So, how do you implement a "remember me" safely?
Setting JUST the uid in a cookie prevents people
> > Or steal it. :)
> >
> > I hope you have checked your site for any cross-site scripting
> > vulnerabilities. This is exactly where vulnerabilities like this
come
> > into play...
>
> Interesting -- I'm only a few days away from launching this... could
you
> elaborate on the potential risk, or
on 17/07/02 11:11 AM, John Holmes ([EMAIL PROTECTED]) wrote:
> Or steal it. :)
>
> I hope you have checked your site for any cross-site scripting
> vulnerabilities. This is exactly where vulnerabilities like this come
> into play...
Interesting -- I'm only a few days away from launching this...
on 17/07/02 11:11 AM, Analysis & Solutions
([EMAIL PROTECTED]) wrote:
> On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote:
>> I set a
>> cookie on their system which remembers them, which is just their username
>> and an md5() of their pasword (the same data I add to the session).
>
On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote:
> I set a
> cookie on their system which remembers them, which is just their username
> and an md5() of their pasword (the same data I add to the session).
OUCH! Sending the password back out to the net is a scarry prospect.
--Dan
> So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If
> there's nothing there, they aren't logged in as far as I can tell. On
> every
> page I validate the uid and pwd against the database, so the only way
you
> could fake being another user is to know the uid AND md5()'d pwd.
On my sites, I have a check box next to the login form which says "remember
me". If they tick this box, and they userid/password is valid, I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
When ma
Chad Day wrote:
>What I'm looking to do is when a user logs in, I start up the session.. I
>then have the registered session var to verify they are authenticated as
>they move throughout the site.
>
>Now, when they close the browser and come back, I want them to still be
>authenticated. Obviousl
g that's hard to predict
and isn't based on any of the user data.
www.php.net/uniqid
---John Holmes...
- Original Message -
From: "Chad Day" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 16, 2002 3:30 PM
Subject: RE: [PHP] Sessions / logins
> What I'm looking to do is when a user logs in, I start up the
> session.. I
> then have the registered session var to verify they are
> authenticated as
> they move throughout the site.
>
> Now, when they close the browser and come back, I want them
> to still be authenticated.
I don't thi
12:30 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions / logins / cookies / security
I asked something similar a little while ago, but didn't do a good job
clarifying.
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verif
I asked something similar a little while ago, but didn't do a good job
clarifying.
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verify they are authenticated as
they move throughout the site.
Now, when they close the browser an
21 matches
Mail list logo