Re: [PHP] PHP authenticating and session management
> 1.) > I see from www.php.net , people said they will generate a Session ID by > themselves > srand((double)microtime()*100); > $unique_str = md5(rand(0,999)); > why not to generate by ourself ? > PHP will create itself . Once upon a time, a long time ago, there was no built-in PHP session support. Thus, one had to generate session IDs for oneself. When I was a newbie, we *walked* to school. In the snow. Uphill. Both ways. :-) -- WARNING [EMAIL PROTECTED] address is an endangered species -- Use [EMAIL PROTECTED] Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
o ic check the IP to prevent . But I have another Q . 1.) I see from www.php.net , people said they will generate a Session ID by themselves srand((double)microtime()*100); $unique_str = md5(rand(0,999)); why not to generate by ourself ? PHP will create itself . 2.) Will Session have problem when people browse from a http page to a https page and go out again? thx ""Christopher Ostmo"" <[EMAIL PROTECTED]> ¼¶¼g©ó¶l¥ó 3B337955.15490.27965520@localhost">news:3B337955.15490.27965520@localhost... > Bass??? pressed the little lettered thingies in this order... > > > I have a Q. > > will the Session ID be stolen by hacker when the ID tranfer bewteen client > > and server ? Then can the hacker send the ID to server and veiw the user's > > page ? > > > > Yes. That *can* happen to any non-encrypted transmission that > passes over an untrusted network. It would be difficult to do, so it's > unlikely, but it *can* happen. It would require a packet sniffer on your > network, on the target network or somewhere between. > > If you want to prevent this, you should match session ID with requesting > IP addresss, log both into a database and check both for each page > request. > > If the data being accessed is *that* important that a hacker would go > through that much trouble to hijack a session, you probably should > consider using SSL. > > Christopher Ostmo > a.k.a. [EMAIL PROTECTED] > AppIdeas.com > Meeting cutting edge dynamic > web site needs > > For a good time, > http://www.AppIdeas.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
Bass??? pressed the little lettered thingies in this order... > I have a Q. > will the Session ID be stolen by hacker when the ID tranfer bewteen client > and server ? Then can the hacker send the ID to server and veiw the user's > page ? > Yes. That *can* happen to any non-encrypted transmission that passes over an untrusted network. It would be difficult to do, so it's unlikely, but it *can* happen. It would require a packet sniffer on your network, on the target network or somewhere between. If you want to prevent this, you should match session ID with requesting IP addresss, log both into a database and check both for each page request. If the data being accessed is *that* important that a hacker would go through that much trouble to hijack a session, you probably should consider using SSL. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Meeting cutting edge dynamic web site needs For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
interesting question! I'm also interested in it, cause I read somwhere
that its possible to "kidnap" sessions...
"Bass???" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
9gvt89$pi5$[EMAIL PROTECTED]
> I have a Q.
> will the Session ID be stolen by hacker when the ID tranfer bewteen client
> and server ?
> Then can the hacker send the ID to server and veiw the user's page ?
>
>
> "Jason Stechschulte" <[EMAIL PROTECTED]> ?
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote:
> > > simply check $username and bring up the user's page ? but this makes
it
> > > possible for any hacker to send a cookie with username and see that
> page. I
> > > know that PHP stores a unique random number for each session but how
can
> I
> > > check that it matches with the number in the cookie.
> >
> >
> > Why not just check for username this way:
> >
> > > if(session_is_registered("username")) {
> >// Do stuff
> > }
> > ?>
> >
> > Then username has to be registered as a session variable so any hacker
> > (sic) can't just send a username to see that page.
> >
> > --
> > Jason Stechschulte
> > [EMAIL PROTECTED]
> > --
> > echo "Your stdio isn't very std."
> > -- Larry Wall in Configure from the perl distribution
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
no, it works also if your user has cookies disabled.
"Jaxon" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
[EMAIL PROTECTED]
> Does this depend on cookies?
>
> regards,
> jaxon
>
>
> > -Original Message-
> > From: Style|warrioR [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, June 22, 2001 5:09 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] PHP authenticating and session management
> >
> >
> > I'm not quite sure if this is the perfect way cause I'm pretty new to
this
> > session stuff, too.
> > but my version looks like this:
> >
> > [login.php]
> > a form with username and password field.
> > submit --> auth.php
> >
> >
> > [auth.php]
> > check if username and password are ok (from a text file or your mysql
> > database) [yes|no]
> > [no] -> echo "bad login or password."; exit;
> > [yes] -> start a session, save username and password in session vars,
> > redirect to userpage
> >
> >
> > lets say your userpages look like "aUsername_blah.php"
> >
> >
> > ["aUsername_blah.php"]
> > include a script on every userpage that checks if login and password are
> > correct [yes|no]
> > [no] -> redirect to login.php
> > [yes] -> display page
> >
> >
> > comments appreciated :)
> > .andi
> >
> >
> >
> >
> >
> >
> > "Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
> > 9guhbf$msi$[EMAIL PROTECTED]
> > > Hi,
> > >
> > > I want to use PHP session manager but I have some problems,
> > >
> > > I want the session start in a login page so I do this for example:
> > >
> > > after authenticating...
> > > session_start();
> > > session_register("username");
> > >
> > > then I want the user to be able to see his own pages, what do I
> > have to do
> > > in those pages?
> > >
> > > simply check $username and bring up the user's page ? but this makes
it
> > > possible for any hacker to send a cookie with username and see
> > that page.
> > I
> > > know that PHP stores a unique random number for each session
> > but how can I
> > > check that it matches with the number in the cookie.
> > >
> > > help me please I'm really confused !
> > >
> > > Thanks
> > >
> > > Arash Dejkam
> > >
> > >
> > >
> > >
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail:
[EMAIL PROTECTED]
> > >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
I have a Q.
will the Session ID be stolen by hacker when the ID tranfer bewteen client
and server ?
Then can the hacker send the ID to server and veiw the user's page ?
"Jason Stechschulte" <[EMAIL PROTECTED]> ?
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote:
> > simply check $username and bring up the user's page ? but this makes it
> > possible for any hacker to send a cookie with username and see that
page. I
> > know that PHP stores a unique random number for each session but how can
I
> > check that it matches with the number in the cookie.
>
>
> Why not just check for username this way:
>
> if(session_is_registered("username")) {
>// Do stuff
> }
> ?>
>
> Then username has to be registered as a session variable so any hacker
> (sic) can't just send a username to see that page.
>
> --
> Jason Stechschulte
> [EMAIL PROTECTED]
> --
> echo "Your stdio isn't very std."
> -- Larry Wall in Configure from the perl distribution
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP authenticating and session management
Does this depend on cookies?
regards,
jaxon
> -Original Message-
> From: Style|warrioR [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 22, 2001 5:09 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] PHP authenticating and session management
>
>
> I'm not quite sure if this is the perfect way cause I'm pretty new to this
> session stuff, too.
> but my version looks like this:
>
> [login.php]
> a form with username and password field.
> submit --> auth.php
>
>
> [auth.php]
> check if username and password are ok (from a text file or your mysql
> database) [yes|no]
> [no] -> echo "bad login or password."; exit;
> [yes] -> start a session, save username and password in session vars,
> redirect to userpage
>
>
> lets say your userpages look like "aUsername_blah.php"
>
>
> ["aUsername_blah.php"]
> include a script on every userpage that checks if login and password are
> correct [yes|no]
> [no] -> redirect to login.php
> [yes] -> display page
>
>
> comments appreciated :)
> .andi
>
>
>
>
>
>
> "Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
> 9guhbf$msi$[EMAIL PROTECTED]
> > Hi,
> >
> > I want to use PHP session manager but I have some problems,
> >
> > I want the session start in a login page so I do this for example:
> >
> > after authenticating...
> > session_start();
> > session_register("username");
> >
> > then I want the user to be able to see his own pages, what do I
> have to do
> > in those pages?
> >
> > simply check $username and bring up the user's page ? but this makes it
> > possible for any hacker to send a cookie with username and see
> that page.
> I
> > know that PHP stores a unique random number for each session
> but how can I
> > check that it matches with the number in the cookie.
> >
> > help me please I'm really confused !
> >
> > Thanks
> >
> > Arash Dejkam
> >
> >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote: > simply check $username and bring up the user's page ? but this makes it > possible for any hacker to send a cookie with username and see that page. I > know that PHP stores a unique random number for each session but how can I > check that it matches with the number in the cookie. Why not just check for username this way: Then username has to be registered as a session variable so any hacker (sic) can't just send a username to see that page. -- Jason Stechschulte [EMAIL PROTECTED] -- echo "Your stdio isn't very std." -- Larry Wall in Configure from the perl distribution -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
I'm not quite sure if this is the perfect way cause I'm pretty new to this
session stuff, too.
but my version looks like this:
[login.php]
a form with username and password field.
submit --> auth.php
[auth.php]
check if username and password are ok (from a text file or your mysql
database) [yes|no]
[no] -> echo "bad login or password."; exit;
[yes] -> start a session, save username and password in session vars,
redirect to userpage
lets say your userpages look like "aUsername_blah.php"
["aUsername_blah.php"]
include a script on every userpage that checks if login and password are
correct [yes|no]
[no] -> redirect to login.php
[yes] -> display page
comments appreciated :)
.andi
"Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
9guhbf$msi$[EMAIL PROTECTED]
> Hi,
>
> I want to use PHP session manager but I have some problems,
>
> I want the session start in a login page so I do this for example:
>
> after authenticating...
> session_start();
> session_register("username");
>
> then I want the user to be able to see his own pages, what do I have to do
> in those pages?
>
> simply check $username and bring up the user's page ? but this makes it
> possible for any hacker to send a cookie with username and see that page.
I
> know that PHP stores a unique random number for each session but how can I
> check that it matches with the number in the cookie.
>
> help me please I'm really confused !
>
> Thanks
>
> Arash Dejkam
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
