Re: [PHP] How Do Y'all Secure your Sites... (Cookies vs. IP Number)...
Well, the website use both port 80 and port 443. The public access the website freely, so blocking them is not an option beside they don't know the true IP address behind the firewall for them to access the administration website. We don't have Intranet for the administration website to be used. "Miguel Cruz" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > On Fri, 5 Jul 2002, Scott Fletcher wrote: > > We also use the "$_SERVER['REMOTE_ADDR'] to allow only the credit bureau > > employee to log in to the administration website that is if the > > employee's machine is at the credit bureau place. This help with some > > security but not a full security because people outside of the credit > > bureau can easily change the IP address on his/her machine or is in a > > local network behind the the firewall with make up IP addreses since it > > won't be used in the internet or real network. > > People outside cannot change their IP addresses to those used by machines > behind your firewall (unless they are in your building and your firewall > is horribly misconfigured). Well, they can change them but it serves > little purpose. Return traffic would not be routed to them. > > The best they can do is spoof those addresses, but that's a one-way > street: If you pass a token, they won't receive it, so you can easily > ignore them. > > On the other hand, the IP address issue doesn't really add any security > here; it's the token. > > miguel > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do Y'all Secure your Sites... (Cookies vs. IP Number)...
On Fri, 5 Jul 2002, Scott Fletcher wrote: > We also use the "$_SERVER['REMOTE_ADDR'] to allow only the credit bureau > employee to log in to the administration website that is if the > employee's machine is at the credit bureau place. This help with some > security but not a full security because people outside of the credit > bureau can easily change the IP address on his/her machine or is in a > local network behind the the firewall with make up IP addreses since it > won't be used in the internet or real network. People outside cannot change their IP addresses to those used by machines behind your firewall (unless they are in your building and your firewall is horribly misconfigured). Well, they can change them but it serves little purpose. Return traffic would not be routed to them. The best they can do is spoof those addresses, but that's a one-way street: If you pass a token, they won't receive it, so you can easily ignore them. On the other hand, the IP address issue doesn't really add any security here; it's the token. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do Y'all Secure your Sites... (Cookies vs. IP Number)...
Well! The credit bureau website I maintain. We don't use cookie because it doesn't help when the user had it turned off. We do compile OpenSSL and Libmcrypt with PHP, so we can check to see if the web browser is 128 bits and not below that. The PHP code for that is "$_SERVER['SSL_CIPHER_USEKEYSIZE']". We also use the "$_SERVER['REMOTE_ADDR'] to allow only the credit bureau employee to log in to the administration website that is if the employee's machine is at the credit bureau place. This help with some security but not a full security because people outside of the credit bureau can easily change the IP address on his/her machine or is in a local network behind the the firewall with make up IP addreses since it won't be used in the internet or real network. We also use Session ID to keep track of hte user, so that the user can be logged of if idle for like 15 minutes and we also use it to prevent the direct access attempt without logging in. Etc. Hope this idea can be of a help. FletchSOD "Ed Lazor" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I've typically seen the use of a login / cookie in tracking users and > providing security. > > -Original Message- > Quick Question on Cookies vs. IP Number: > > They appear to be easy to set (well at least in PHP), hence quite > easily to get around (The user of your Site simply deletes the > Cookie on his Hard Drive...) In Konqueror you are actually > given the option of rejecting cookies... Using > getenv($REMOTE_ADDR) to retrieve someones IP number > isn't too reliable either in the case that someone is using > Dial Up... I just want to get ideas from other PHP Coders as > to how they secure their Sites and actually keep an accurate > record as to who and how many people visit your sites.. > coz even a combination of Cookies and IP would be easily > by-passed... > > Some Ideas if you may folks... > > > This message is intended for the sole use of the individual and entity to > whom it is addressed, and may contain information that is privileged, > confidential and exempt from disclosure under applicable law. If you are > not the intended addressee, nor authorized to receive for the intended > addressee, you are hereby notified that you may not use, copy, disclose or > distribute to anyone the message or any information contained in the > message. If you have received this message in error, please immediately > advise the sender by reply email and delete the message. Thank you very > much. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do Y'all Secure your Sites... (Cookies vs. IP Number)...
On Fri, 5 Jul 2002, Kondwani Spike Mkandawire wrote: > Quick Question on Cookies vs. IP Number: > > They appear to be easy to set (well at least in PHP), hence quite > easily to get around (The user of your Site simply deletes the > Cookie on his Hard Drive...) In Konqueror you are actually > given the option of rejecting cookies... Using > getenv($REMOTE_ADDR) to retrieve someones IP number > isn't too reliable either in the case that someone is using > Dial Up... I just want to get ideas from other PHP Coders as > to how they secure their Sites and actually keep an accurate > record as to who and how many people visit your sites.. > coz even a combination of Cookies and IP would be easily > by-passed... IP numbers are pretty useless for this. A given user's IP address can change during a session, and multiple users can share IP addresses. I'm not sure what your concerns about cookies are wrt security; they can be part of a pretty tight system. Perhaps you could elaborate. For people who don't accept session cookies, you'll have to pass a token around in the URL or in a hidden form item. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How Do Y'all Secure your Sites... (Cookies vs. IP Number)...
I've typically seen the use of a login / cookie in tracking users and providing security. -Original Message- Quick Question on Cookies vs. IP Number: They appear to be easy to set (well at least in PHP), hence quite easily to get around (The user of your Site simply deletes the Cookie on his Hard Drive...) In Konqueror you are actually given the option of rejecting cookies... Using getenv($REMOTE_ADDR) to retrieve someones IP number isn't too reliable either in the case that someone is using Dial Up... I just want to get ideas from other PHP Coders as to how they secure their Sites and actually keep an accurate record as to who and how many people visit your sites.. coz even a combination of Cookies and IP would be easily by-passed... Some Ideas if you may folks... This message is intended for the sole use of the individual and entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended addressee, nor authorized to receive for the intended addressee, you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete the message. Thank you very much. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php