Hi, I'm wanting to create a simple authentication system for use with ACL. I do not believe the Auth component is suitable for this, as my ACL setup is not based on controller/actions and is quite strange in general.
I currently have a system such as that described in http://bakery.cakephp.org/articles/view/simple-form-authentication-in-1-2-x-x at the moment, however before the application is released into the wild I would just like to ask about a couple of security concerns with this system. I understand that this system is very simple, basically consisting of a login() and __validateLoginStatus() functions. My concern with the implementation is that can't a 3rd party just repeatedly try different SessionIDs until successful, as when validating the current login status, it just checks to see if there is a Session variable defined for "User". Isn't this open to abuse? What would be a more secure method of validation. (Actual logging in seems fine (ish) - apart from packet sniffing where the username/password combo could be picked up, but as not every site in the world uses SSL I assume this isn't such an issue.) I think I have confused myself with this problem, and am probably looking at this incorrectly. I blame my inexperience, and the opiates they gave me after my operation earlier. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
