|
|
Posted by Erwin Moller on 10/13/78 11:39
Notgiven wrote:
> I am considering a large project and they currently use LDAP on MS
> platform. It would be moved to a LAMP platform. OpenLDAP is an option
> though I have not used it before. I do feel fairly confortable with my
> ability to use SESSIONS for authentication and access control.
>
> Would it better to learn and use LDAP or can you REALLY have just as
> secure authentication and access control using Sessions?
Hi,
You better be the judge of that yourself.
Consider the following about sessions:
- A session with a client is based on some value that is passed to the
client. The client sends this value back each new request to the server.
- This is just a token, often in form of: PHPSESID=231jhg2fg14hg3ff43
- This sessionid is passed via cookie or URL
So untill now: Somebody has to intercept the sessionid on its route from
client to server and the other way round.
If somebody manages to do this, under most circumstances this bad guy can
'hijack the session', simply by going to the same page with the right
cookie set (for PHPSESSID)
If you can secure this part (by means of https eg) then you are fine (so
far).
How to use a session for security (admin-only pages example)
- A sessionid is used on the server to retrieve the actual data stored in
the session, like (in php):
to set some value:
$_SESSION["isadmin"] = "Y";
or on top of a script that demands admin-only entrance:
if ((isset($_SESSION["isadmin"]) && ($_SESSION["isadmin"] == "Y")) {
// OK
} else {
echo "Go away!";
exit;
}
So you'll have to adjust this logic everywhere in your application.
Next possible problem:
The server itself.
Consider where the sessiondata (like 'admin' value) is stored.
Default PHP install will use a filebased sessionstorage system.
It created a file in a temp directory under a name that includes the
sessionid.
PHP will get this file if a new request arives at the server.
Alternatively, you can write your own sessionhandling, and store it in a
database.
In both cases:
Ask yourself: Can somebody else get the session there? (in tempdirectory or
from database).
Remember that the tempdirectory is writable and readable for all users
(under most *nix distros).
The fileowner of the sessionfile will be the user that runs PHP.
Under *nix this is often www-data/apache/nobody.
So if you are in a shared hosting environment, somebody else running a
website on that machine, will run as the same user, thus will be able to
get the sessionfile and read/write it.
(Again under most setups)
Hope this helps you a bit to decide what is best.
Oh, my knowledge of LDAP is limited to 'heard that name before, something
with file/directorybased storage, right?'.
So I cannot help you compare.
Good luck.
Regards,
Erwin Moller
>
> Thanks for your thoughts and experience.
Navigation:
[Reply to this message]
|