You are here: Re: Secure Session - Tips « All PHP « IT news, forums, messages
Re: Secure Session - Tips

Posted by Oli Filth on 10/05/37 11:36

Øystein Hafli wrote:
> Marcos José Setim wrote:
> > Hi,
> >
> > I've like to know if exists tips for developing the login using Session
> > and Cookie to secure against invasion.
> >
>
> You can use a fingerprint function:
>
> --
> function fingerprint($username) {
> $fingerprint = $username . $_SERVER['HTTP_USER_AGENT'];
> $fingerprint = $fingerprint . "saltword";
> $fingerprint = md5($fingerprint . session_id());
> return $fingerprint;
> }
> --
>
> When the user logs in:
> $_SESSION['fingperprint'] = fingerprint($_SESSION['username']);
>
> then, on the secured pages, do this:
> if($_SESSION['fingerprint'] != fingerprint($_SESSION['username']) {
> echo "Fingerprint mismatch";
> session_desotry();
> exit();
> }
>
>

Both this and the link posted by Juglesh essentially work the same way
- creating a fingerprint from user-related data (in this instance, the
user-agent string).

I've read the article on shiflett.org before (the link is
http://shiflett.org/articles/the-truth-about-sessions, BTW), but I've
never understood what the point of the salt word is in this situation;
nor the use of MD5, in fact. I can't see what they could possibly help
against.

There was a discussion on this in comp.lang.php a while back, see:
http://groups.google.co.uk/group/comp.lang.php/browse_frm/thread/492a27a6f7742d2e/

--
Oli

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация