So... I can hijack someone else's session if I know their email address? On Sep 29, 12:40 pm, Brendan Brink <[email protected]> wrote: > session based on their username which is their email address (email > address is included in the link) > > > > > > On Wed, Sep 29, 2010 at 12:16 PM, Hamish Campbell <[email protected]> > wrote: > > How does the system know if the person is logged in? > > > On Sep 29, 12:00 pm, Brendan Brink <[email protected]> wrote: > >> thanks for that Berend, > > >> have come up with a solution: > > >> the link has email address appended and a hashed email address appended > > >> ie: form.php?h=heu9oghsodiug&[email protected]&eh=huieghsuilehgeslhgs > > >> so when going to the form: > > >> 1. know what form they want to view > >> 2. what email address (user) they are > >> 3. and they permitted to view the form (compares email to the email > >> hash in link) > > >> If person is logged in, shows them form otherwise: > > >> prompts for password to accompany their unique email address > > >> if not a user yet, allows them to create a password which then emails > >> them a link to activate their account. > > >> once they have activated the account, they can then click on the > >> original form again and login and view the form. > > >> ------ > > >> this should make the login process simple, secure and the registration > >> system very simple > > >> any comments on the above security? or enhancements they would make? > > >> On Wed, Sep 29, 2010 at 11:51 AM, Berend de Boer <[email protected]> wrote: > > >> >>>>>> "Brendan" == Brendan Brink <[email protected]> writes: > > >> > Brendan> The client wants to know is there a way to make it more > >> > Brendan> secure without forcing a username / password security > >> > Brendan> feature on the system ...as the ability to click on a > >> > Brendan> link in an email to go through to the form works > >> > Brendan> efficiently... > > >> > So the client wants to follow a link without having to prove their > >> > identity... > > >> > Sorry, ain't going to work. > > >> > You can constrain access by ip address (or reverse ip address), that's > >> > the only option. And you would have to add new ip addresses for people > >> > who are also allowed to view this. > > >> > But I don't understand why clients can't use the remember password > >> > feature... > > >> > -- > >> > All the best, > > >> > Berend de Boer > > >> > -- > >> > NZ PHP Users Group:http://groups.google.com/group/nzphpug > >> > To post, send email to [email protected] > >> > To unsubscribe, send email to > >> > [email protected] > > >> -- > >> Kind Regards, > > >> Brendan Brink > > >> SMS Marketing Consultant | Manager > >> Sell2Cell Ltd. > > >> 021 0246 1646 | [email protected] |www.sell2cell.co.nz > > >> We provide customized, cost-effective SMS & Web Solutions > >> Need a website? Need to integrate text-messaging into your business > >> or website? Contact us today for a free no-obligation quote! > > >> VISIT OUR ASSOCIATED WEBSITES: textvouchers.com | textguru.co.nz > > >> WARNING This email contains information which is CONFIDENTIAL and may > >> be subject to LEGAL PRIVILEGE. If you are not the intended recipient, > >> you must not peruse, use, disseminate, distribute or copy the email or > >> attachments. If you have received this in error, please notify us > >> immediately by return email, facsimile, or telephone (call us > >> collect). > > > -- > > NZ PHP Users Group:http://groups.google.com/group/nzphpug > > To post, send email to [email protected] > > To unsubscribe, send email to > > [email protected] > > -- > Kind Regards, > > Brendan Brink > > SMS Marketing Consultant | Manager > Sell2Cell Ltd. > > 021 0246 1646 | [email protected] |www.sell2cell.co.nz > > We provide customized, cost-effective SMS & Web Solutions > Need a website? Need to integrate text-messaging into your business > or website? Contact us today for a free no-obligation quote! > > VISIT OUR ASSOCIATED WEBSITES: textvouchers.com | textguru.co.nz > > WARNING This email contains information which is CONFIDENTIAL and may > be subject to LEGAL PRIVILEGE. If you are not the intended recipient, > you must not peruse, use, disseminate, distribute or copy the email or > attachments. If you have received this in error, please notify us > immediately by return email, facsimile, or telephone (call us > collect).
-- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
