Tamper-proof sessions

From: Colin McKinnon (colin.deletethis_at_andthis.mms3.com)
Date: 06/23/04

Next message: Randell D.: "Re: Apache 1.3 + PHP 4.x + SSL"
Previous message: Virgil Green: "Re: mysql_connect Error"
Next in thread: Chung Leong: "Re: Tamper-proof sessions"
Reply: Chung Leong: "Re: Tamper-proof sessions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 23 Jun 2004 15:41:11 +0100

Hi all,

I want some data generated and stored at authentication which will be
accessible throughout a (web) session. However I want better security
controls than just storing it within the session - anyone who can write a
PHP script on the server can then modify the contents.

There doesn't seem to be any easy way of seperating the privilege (so e.g. a
setuid program might write the data to a file, not writable by the
webserver user). I don't want to have to run a second webserver as a
different user just to acheive this.

Anybody any ideas?

TIA,

Colin

Next message: Randell D.: "Re: Apache 1.3 + PHP 4.x + SSL"
Previous message: Virgil Green: "Re: mysql_connect Error"
Next in thread: Chung Leong: "Re: Tamper-proof sessions"
Reply: Chung Leong: "Re: Tamper-proof sessions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Collection of data in multiple forms
... order and keep the info stored in the controls on the page. ... If you need to go to session, create objects that have the info you need to ... I need to collect User Personal Information ... I was thinking of collecting the data and storing it in a Session object ...
(microsoft.public.dotnet.framework.aspnet)
Re: mehrsprachige websites (lokalisierung)
... Beachte dabei, dass Unterverzeichnisse in diesem Verzeichnis einfach plattgewälzt werden, so als wären diese nicht da. ... Falls keine vorliegt, wird die Ausgangssprache genommen, also die, die im Root steht und keinen Sprachcode hat. ... Wenn Du nun Anpassungen an der Seite vornimmst, musst Du den Lokalisierungsprozess wieder laufen lassen, der im Hintergrund die Meta-Tags in die neuen Controls reinschreibt und die Meta Atribute in die Sprach-Resourcen-Datei. ... Dabei lege ich die Sprache als Session Parameter ab. ...
(microsoft.public.de.german.entwickler.dotnet.asp)
Re: Dealing with the Back button
... This page can have possibly hundreds of dynamically generated controls ... "When a form is submitted in classic ASP, ... The site did not maintain your ViewState. ... >I would consider putting the form values into session upon submission. ...
(microsoft.public.dotnet.framework.aspnet)
aspnet_state.exe Internals Info Needed
... I noticed when storing large amounts of information in the StateServer ... Service that this does not increase in size, the worker process itself seems ... I thought the State Server actually stored the session data itself, ... seem from my example that this is not the case and that the memory space ...
(microsoft.public.dotnet.framework.aspnet)
Re: Pattern/ help wanted for Request
... CalendarControl or maybe a dropdown to get any data from it when a user make ... What is this "normal" way you know about controls? ... An object into a session - not recommended. ... In the good ol'ASP-days I allways handled all request vars within a class. ...
(microsoft.public.dotnet.framework.aspnet)