>
>GET or POST-Parameters are for user-input. Handing information over to the
>client and taking it back later is a potential security leak. If you have
>no means of revalidating the information after it crossed the so called
>trust boundary, you should't do it.
>Send a handler, some random and unique (nothing like 1,2,3 or a,b,c)
>identifier and store the critical information in a session variable or
>somewhere else.
In spamwhack, I have secure access using this technique.
On login I pass you a cookie (10 digit random number, base 16) store the
cookie in the database marked invalid, and take your username and password.
On submit, I check the username and password against the database, also the
originating IP address, to see if it's in-range for that account. If so, I
mark the db entry valid.
When you pull up the next page, you get a new random cookie, which is also
invalid. I take the cookie you gave me, check against the database. If it
matches, and the IP address is still the same, then I mark the new one valid.
This happens for every page access in the secure area.
You have to hand me the right cookie value, and each cookie is only good
for one page. I refresh the same cookie, so as not to fill up the jar
impolitely.
It's not as complicated as it sounds. The idea is that you can steal a
cookie value, but it won't help you, since you'll be from a different IP.
If you can grab the cookie value, and forge the IP address, then you can
hijack the session.
It's never happened yet.
Other fun: On login, after a couple tries, the script goes into a mode
where even the correct password will be rejected. It also sends emails to
me, and to the account holder, that someone is messing with it.
I put a randomised delay in the passord script as well, so that it's not
obvious wether you're being accepted or rejected until the script finishes,
so as to foil automated attempts to speed up a dictionary attack.
There's more, but....
:)
--
Dave's Engineering Page: http://www.dvanhorn.org
Where's dave? http://www.findu.com/cgi-bin/find.cgi?kc6ete-9
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
