Re: [PHP] Access control question - follow-up question
On Friday, June 7, 2002, at 12:32 PM, Jeff Field wrote: > I'm under the impression that when I create the user > and password variables, the variables are only available in the session > cookie on my own server, not in the cookie that is sent to the user to > maintain sessions. The cookie sent to the user merely contains the > session > ID. Therefore, other than someone hijacking the session, I'm a little > unclear as to the security risk. Have I got this right? Exactly. Unless they had access to the server itself, where the session data is stored in a temporary file. So there are two vulnerabilities -- server compromise and cookie spoofing. But don't forget that without SSL, someone watching your client's port (or your server's port) will see the password in plaintext and get through that way. Watching a port is about as easy as anything I can think of. So for true security you'll need SSL. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Access control question - follow-up question
Absolutely right! I'm storing the password needlessly. I've got the user name and that's all I need for anything further. Thanks! Jeff > -Original Message- > From: Analysis & Solutions [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 12:42 PM > To: PHP List > Subject: Re: [PHP] Access control question - follow-up question > > > On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote: > > > > In regards to "Passing/testing the password on each page is > unnecessary and > > poses security risks.", I'm under the impression that when I > create the user > > and password variables, the variables are only available in the session > > cookie on my own server, not in the cookie that is sent to the user to > > maintain sessions. The cookie sent to the user merely contains > the session > > ID. Therefore, other than someone hijacking the session, I'm a little > > unclear as to the security risk. Have I got this right? > > A general rule: if something doesn't need to be stored, don't store it. > This saves time and space. > > In the instance of passwords, storing them needlessly keeps sensitive > information around. This poses a problem in the event your system gets > compromised. There are lots of ways that can happen, both known and yet > to be discovered and yet to be created. So, it's just safer not to do > it. > > --Dan > > -- >PHP classes that make web design easier > SQL Solution | Layout Solution | Form Solution > sqlsolution.info | layoutsolution.info | formsolution.info > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Access control question - follow-up question
On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote: > > In regards to "Passing/testing the password on each page is unnecessary and > poses security risks.", I'm under the impression that when I create the user > and password variables, the variables are only available in the session > cookie on my own server, not in the cookie that is sent to the user to > maintain sessions. The cookie sent to the user merely contains the session > ID. Therefore, other than someone hijacking the session, I'm a little > unclear as to the security risk. Have I got this right? A general rule: if something doesn't need to be stored, don't store it. This saves time and space. In the instance of passwords, storing them needlessly keeps sensitive information around. This poses a problem in the event your system gets compromised. There are lots of ways that can happen, both known and yet to be discovered and yet to be created. So, it's just safer not to do it. --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Access control question - follow-up question
Your way to check for privileges sounds good. However, at my site, for this one area (basically, the customer's area) there's only one privilege; you either have access or you don't. So, I'm assuming my way is probably good enough for now. In regards to the presence of the session itself being good enough for verification, the reason I would check for the $_SESSION['user'] is that that variable means they are logged in, as opposed to merely having a session in use. I say that because, given that I may want to start a session for other uses, such as tracking a user's navigation through the website, then the presence of the session itself would not be good enough to know if they've logged in or not. In regards to "Passing/testing the password on each page is unnecessary and poses security risks.", I'm under the impression that when I create the user and password variables, the variables are only available in the session cookie on my own server, not in the cookie that is sent to the user to maintain sessions. The cookie sent to the user merely contains the session ID. Therefore, other than someone hijacking the session, I'm a little unclear as to the security risk. Have I got this right? Thanks! Jeff > -Original Message- > From: Analysis & Solutions [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 10:42 AM > To: PHP List > Subject: Re: [PHP] Access control question > > > Hi Jeff: > > On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote: > > > > Is it simply enough to just check that $_SESSION['user'] is present, and > > therefore, by that alone assume the user has logged in and > should be granted > > access? Or, should I be verifying the $_SESSION['user'] and > > $_SESSION['pass'] against the database on every page? > > If you validate the user/pass before starting a session for the person, > then the existence of the session itself proves the person has logged > in. No? Passing/testing the password on each page is unnecessary and > poses security risks. > > Disclaimer: I don't use PHP's session functions for sessions. > > What I do in my system is give everyone a session. All folks who > haven't logged in are one user. Once they log in, my session database > associates their UserID with their session. The UserID isn't checked on > each page. When access to a particular page needs to be limited, I > check their permission level (which is in another field of the session > database) to ensure they have the privileges needed to perform the > operation. > > Enjoy, > > --Dan > > -- >PHP classes that make web design easier > SQL Solution | Layout Solution | Form Solution > sqlsolution.info | layoutsolution.info | formsolution.info > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
