RE: [PHP] Session Authentication



-----Original Message-----
From: Tijnema ! [mailto:tijnema@xxxxxxxxx]
Sent: Monday, April 09, 2007 5:38 PM
To: Martin Marques
Cc: Ólafur Waage; php-general@xxxxxxxxxxxxx
Subject: Re: [PHP] Session Authentication

On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote:
Tijnema ! escribió:
On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote:

Yes:

Don't use transparent session id, or even better, save the
authentication in a cookie on the client (seperated from the session
array).

And then the user would crack the cookie ....
I know they are encrypted, but trust me, cookies can be edited.

So what? The user authenticated himself, so what is he gonna crack?
Yes, but i guess you're not only storing if the user has
authenticated, also storing a username?

And if that's not the case, then you could authenticate by creating a
cookie where it says authenticated = yes, and you're authenticated...

Tijnema

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Peter Lauri - DWS Asia]

If cookies were that unsecured so you could create your own cookies that
easily, then would cookies exist?

Best regards,
Peter Lauri

www.dwsasia.com - company web site
www.lauri.se - personal web site
www.carbonfree.org.uk - become Carbon Free
.

Relevant Pages

  • Re: Fwd: [PHP] Re: a question on session ID and security
    ... I think the difference is that you send one key (a session identifier) ... secondary hash key stored in cookies. ... hash key" to the client when it doesn't need it? ... Use the authentication key to identify the users data, then get the "secondary hash key" from that data. ...
    (php.general)
  • Re: Hiding variables passed via URL
    ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ...
    (comp.lang.php)
  • Re: Hiding variables passed via URL
    ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ...
    (comp.lang.php)
  • RE: Reconnect to a session and authenticate.
    ... I solved this problem by adding the cookies and doing a server transfer. ... certain session connection or forms authentication connection in your code ... However, for session state, it is always doneby ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
    ... Web session tracking security prob. ... upload Netscape-style cookies on http://cookies.lcs.mit.edu/. ... insecure authentication schemes including schemes used at WSJ.com, ...
    (Vuln-Dev)