subject:"Re\: \[PHP\] Re\: Login\/Security Problem"

Re: [PHP] Re: Login/Security Problem

2001-11-14 Thread Tamas Arpad


On Wednesday 14 November 2001 14:58, you wrote:
I think mixing of the web application's and the host's operating 
system's authantication is not the best thing (if you don't exactly 
need that)

The $isLogged variable that is stored in the session is perfect as 
long as you check that it is came from the session 
($HTTP_SESSION_VARS) and you know that no one can access and write 
into your session files (open_basedir, and safe_mode in php.ini).

Arpi

> so set an md5() of each user name as "yes".
> islogged=Ehyfoa74a23gfd
> or whatever is good i think. but sessions are the most secure way,
> so think about both (sessions and cookies) and decide what you
> really need.
>
> you have linux?
> you could make an .htaccess, and make real users with no bash, and
> let them login with real usernames and passwords.
>
> windows?
> on win2k you could do this too. but be shure to not grant access to
> local hd's. major security risk...
>
> "Stefan Rusterholz" <[EMAIL PROTECTED]> schrieb im
> Newsbeitrag 009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo...
>
> > I don't think this is a secure method.
> > If I do only a little effort an find out, that it's this variable
>
> $islogged
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: Login/Security Problem

2001-11-14 Thread Daniel Masur


so set an md5() of each user name as "yes".
islogged=Ehyfoa74a23gfd
or whatever is good i think. but sessions are the most secure way, so think
about both (sessions and cookies) and decide what you really need.

you have linux?
you could make an .htaccess, and make real users with no bash, and let them
login with real usernames and passwords.

windows?
on win2k you could do this too. but be shure to not grant access to local
hd's. major security risk...

"Stefan Rusterholz" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo...
> I don't think this is a secure method.
> If I do only a little effort an find out, that it's this variable
$islogged
> which has to set to "yes" (or whatever) I can gain access by simply typing
> into the browsers addressbar
> "www.yourdomain.com/theFileIWantToGo.php?islogged=yes" and I will gain
> access.
>
> I'm sorry, but I can't tell you a better way to do it.
>
> Stefan Rusterholz, [EMAIL PROTECTED]
> --
> interaktion gmbh
> Stefan Rusterholz
> Zürichbergstrasse 17
> 8032 Zürich
> --
> T. +41 1 253 19 55
> F. +41 1 253 19 56
> W3 www.interaktion.ch
> --
>
> - Original Message -
> From: "Daniel Masur" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, November 14, 2001 2:33 PM
> Subject: [PHP] Re: Login/Security Problem
>
>
> > set a cookie, and delete it with a logout button or when the user leaves
> > your domain
> >
> >
> > "Joe Van Meer" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi there. I'm new to php and would like some insight on securing a
> > website.
> > > Upon successful login to my site (checks against database for username
> and
> > > password) I assign a session variable called '$islogged' to 'yes'. On
> all
> > > other pages throughout my site I use the following code to determine
if
> > this
> > > variable is set, and if not redirect them to the login page.
> > >
> > > if($islogged = = "no"){
> > >
> > > header("Location:index.php");
> > > }
> > > elseif(EMPTY($islogged))
> > > {
> > > header("Location:index.php");
> > > }
> > >
> > >
> > > This seems to work, however, if I close out my browser and say type in
> > > main.php (this page has the above code) in the address bar I can still
> > > access the page. How can I fix this? Is there something else I could
be
> > > doing to improve the functionality?
> > > Any insights would greatly be appreciated.
> > >
> > > Cheers Joe:)
> > >
> > >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> >
> >
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: Login/Security Problem

2001-11-14 Thread Stefan Rusterholz


I don't think this is a secure method.
If I do only a little effort an find out, that it's this variable $islogged
which has to set to "yes" (or whatever) I can gain access by simply typing
into the browsers addressbar
"www.yourdomain.com/theFileIWantToGo.php?islogged=yes" and I will gain
access.

I'm sorry, but I can't tell you a better way to do it.

Stefan Rusterholz, [EMAIL PROTECTED]
--
interaktion gmbh
Stefan Rusterholz
Zürichbergstrasse 17
8032 Zürich
--
T. +41 1 253 19 55
F. +41 1 253 19 56
W3 www.interaktion.ch
--

- Original Message -
From: "Daniel Masur" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 14, 2001 2:33 PM
Subject: [PHP] Re: Login/Security Problem


> set a cookie, and delete it with a logout button or when the user leaves
> your domain
>
>
> "Joe Van Meer" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi there. I'm new to php and would like some insight on securing a
> website.
> > Upon successful login to my site (checks against database for username
and
> > password) I assign a session variable called '$islogged' to 'yes'. On
all
> > other pages throughout my site I use the following code to determine if
> this
> > variable is set, and if not redirect them to the login page.
> >
> > if($islogged = = "no"){
> >
> > header("Location:index.php");
> > }
> > elseif(EMPTY($islogged))
> > {
> > header("Location:index.php");
> > }
> >
> >
> > This seems to work, however, if I close out my browser and say type in
> > main.php (this page has the above code) in the address bar I can still
> > access the page. How can I fix this? Is there something else I could be
> > doing to improve the functionality?
> > Any insights would greatly be appreciated.
> >
> > Cheers Joe:)
> >
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: Login/Security Problem

Re: [PHP] Re: Login/Security Problem

Re: [PHP] Re: Login/Security Problem

3 matches

Site Navigation

Mail list logo

Footer information