|
Posted by Oli Filth on 10/13/37 11:36
Øystein Hafli wrote:
> Marcos José Setim wrote:
> > Hi,
> >
> > I've like to know if exists tips for developing the login using Session
> > and Cookie to secure against invasion.
> >
>
> You can use a fingerprint function:
>
> --
> function fingerprint($username) {
> $fingerprint = $username . $_SERVER['HTTP_USER_AGENT'];
> $fingerprint = $fingerprint . "saltword";
> $fingerprint = md5($fingerprint . session_id());
> return $fingerprint;
> }
> --
>
> When the user logs in:
> $_SESSION['fingperprint'] = fingerprint($_SESSION['username']);
>
> then, on the secured pages, do this:
> if($_SESSION['fingerprint'] != fingerprint($_SESSION['username']) {
> echo "Fingerprint mismatch";
> session_desotry();
> exit();
> }
>
>
Both this and the link posted by Juglesh essentially work the same way
- creating a fingerprint from user-related data (in this instance, the
user-agent string).
I've read the article on shiflett.org before (the link is
http://shiflett.org/articles/the-truth-about-sessions, BTW), but I've
never understood what the point of the salt word is in this situation;
nor the use of MD5, in fact. I can't see what they could possibly help
against.
There was a discussion on this in comp.lang.php a while back, see:
http://groups.google.co.uk/group/comp.lang.php/browse_frm/thread/492a27a6f7742d2e/
--
Oli
Navigation:
[Reply to this message]
|