[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Cash reward for a secure PHP page!

From: Alan Cox <alan redhat com>
To: For testers of Fedora Core development releases <fedora-test-list redhat com>
Cc: fedora-list redhat com
Subject: Re: Cash reward for a secure PHP page!
Date: Sat, 6 Nov 2004 21:38:26 -0500

On Sat, Nov 06, 2004 at 06:02:40PM -0600, Rodolfo J. Paiz wrote:
> few users, each of which has a username and password. However, they do
> not want to rely on .htaccess files only; they want each page to check
> session validity so they can have time-outs and stuff.

There are a whole pile of session manager libraries for PHP floating around
and some of them don't suck 8)

>   1. The user's credentials should be stored in some reasonably-secure
> and reasonably-scalable fashion. I do not have the knowledge to
> determine whether an htaccess file will work well enough or whether

The linux.org.uk portaloo does the following

	state = [array of things we need to remember] + timestamp
        md5sum (state, secret)
	cookie = md5result + state

that gives you rather hard to fake browser kept state very easily

Alan

Follow-Ups:
- Re: Cash reward for a secure PHP page!
  - From: Rodolfo J. Paiz

References:
- Cash reward for a secure PHP page!
  - From: Rodolfo J. Paiz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]