Alain Roger wrote:
Ok, but i would be very glad to know how can i REALLY authenticate the
user.
for example, user is logged, so i have in the cookie his login name.
how can i be sure that it's the same user and not some hacker who hacked
the
cookie and the session ?
what should be checked and where those data should be stored ?
because i can store in DB the sessionID, and check it to every DB request
user does...but a sessionID can be easily fake.
So what should I do ?
Don't store anything in cookies except the session identifier, which is
done for you by PHP. You don't need to concern yourself with cookies at all.
As far as validating that it's the same user, really don't worry about
it. It's as secure as it's going to get without affecting usability in a
big way. Even tying the session cookie to the IP address can have it's
problems, for example if the user is going through a proxy that might
end up using a different IP from request to request.
-Stut
On 3/4/07, Tijnema ! <[EMAIL PROTECTED]> wrote:
On 3/4/07, Stut <[EMAIL PROTECTED]> wrote:
>
> Alain Roger wrote:
> > I would like to implement a module access rights in my web
application.
> > Basically after authentication and authorization. Logged user has a
> > particular profile which allow him to have access to some part of the
> web
> > application.
> >
> > after reading the security guide from *php*sec.org webpage, i'm
confused
> > regarding how to store user login and password.
> > I mean the encrypted password stored in database is compared to
> encrypted
> > password that user type.
> >
> > But where to store login and password once user is logged ?
> >
> > when i read the security guide it seems that it is not secured enough
to
> > store them in cookies or in sessions data...
> > both can be hacked... So what is the best solution ?
> >
> > i will use those stored data to check if logged user can have access
to
> a
> > particular part of the web application.
> >
> > What is your point of view in such domain ?
>
> Ok, once the user has logged in there is no need to store the password.
> Simply store the username or other user details (but not the password)
> in the session - that's as secure as it's gonna get.
>
> *Never* store a password in a cookie. *Ever*.
>
> -Stut
That's right, never store a password in a cookie or session, maybe a
little
extra security could be added by locking the cookie to a IP address, but
even more secure isn't possible.
Tijnema
--
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php