|
|
Posted by Notgiven on 10/12/97 11:39
"Erwin Moller"
<since_humans_read_this_I_am_spammed_too_much@spamyourself.com> wrote in
message news:43e9f242$0$11067$e4fe514c@news.xs4all.nl...
> Notgiven wrote:
>
>> I am considering a large project and they currently use LDAP on MS
>> platform. It would be moved to a LAMP platform. OpenLDAP is an option
>> though I have not used it before. I do feel fairly confortable with my
>> ability to use SESSIONS for authentication and access control.
>>
>> Would it better to learn and use LDAP or can you REALLY have just as
>> secure authentication and access control using Sessions?
>
> Hi,
>
> You better be the judge of that yourself.
> Consider the following about sessions:
>
> - A session with a client is based on some value that is passed to the
> client. The client sends this value back each new request to the server.
> - This is just a token, often in form of: PHPSESID=231jhg2fg14hg3ff43
> - This sessionid is passed via cookie or URL
>
> So untill now: Somebody has to intercept the sessionid on its route from
> client to server and the other way round.
> If somebody manages to do this, under most circumstances this bad guy can
> 'hijack the session', simply by going to the same page with the right
> cookie set (for PHPSESSID)
>
> If you can secure this part (by means of https eg) then you are fine (so
> far).
>
> How to use a session for security (admin-only pages example)
>
> - A sessionid is used on the server to retrieve the actual data stored in
> the session, like (in php):
>
> to set some value:
> $_SESSION["isadmin"] = "Y";
>
> or on top of a script that demands admin-only entrance:
> if ((isset($_SESSION["isadmin"]) && ($_SESSION["isadmin"] == "Y")) {
> // OK
> } else {
> echo "Go away!";
> exit;
> }
>
> So you'll have to adjust this logic everywhere in your application.
>
>
> Next possible problem:
>
> The server itself.
> Consider where the sessiondata (like 'admin' value) is stored.
> Default PHP install will use a filebased sessionstorage system.
> It created a file in a temp directory under a name that includes the
> sessionid.
> PHP will get this file if a new request arives at the server.
>
> Alternatively, you can write your own sessionhandling, and store it in a
> database.
>
> In both cases:
> Ask yourself: Can somebody else get the session there? (in tempdirectory
> or
> from database).
>
> Remember that the tempdirectory is writable and readable for all users
> (under most *nix distros).
> The fileowner of the sessionfile will be the user that runs PHP.
> Under *nix this is often www-data/apache/nobody.
>
> So if you are in a shared hosting environment, somebody else running a
> website on that machine, will run as the same user, thus will be able to
> get the sessionfile and read/write it.
> (Again under most setups)
>
> Hope this helps you a bit to decide what is best.
>
> Oh, my knowledge of LDAP is limited to 'heard that name before, something
> with file/directorybased storage, right?'.
> So I cannot help you compare.
>
> Good luck.
>
> Regards,
> Erwin Moller
Thanks for your insight. I am using sessions for auth/acess control now for
several apps so. like you, I understand how that works. I haven't done this
yet, but you can set the session store location/directory in the php.ini
file.
If you do that and use SSL, I think most of session security is covered.
The logic of access control is critical and requires lots of planning and
"what-if" analysis.
thanks again!
Navigation:
[Reply to this message]
|