Reply to Re: Security question

Your name:

Reply:


Posted by JamesB on 09/25/05 12:33

"Gordon Burditt" <gordonb.srm7n@burditt.org> wrote in message
news:11j8edvcja6g603@corp.supernews.com...
> >I am half way through making a site you can only do certain stuff if
> >logged
>>in to.
>>
>>So far, you are logged in if there is a session variable with your
>>username,
>>but I got thinking that presumably someone who worked this out could make
>>a
>>cookie file with this info in and pretend to be another user. So... what's
>>the recommended way?
>
> The cookie variable does not contain the session variables. It
> only contains a key to the session variables. If there are no
> sessions with the target user logged in, the hacker can't guess a
> session cookie to that user. There won't be any like that to guess.
> (He can try to guess that user's password, though, which may be a
> lot easier than guessing the cookie).
>
>>I thought of storing an MD5 hash of the login time in the session and in
>>the
>>database too, then on each page, comparing the session variable to that in
>>the db. Theory being, if a hacker had tried making their own cookie file
>>they wouldnt have the right hash.
>
> It is not difficult to write a handler to put session info into the
> database in the first place. This doesn't increase security, but
> it may make it easier to do admin-like things like look at who's
> logged in or clean up old abandoned sessions periodically.
>
> Unless the hacker has access to files on the server (and then you're
> REALLY in trouble, as he can probably modify your code too), the
> only sessions he can fake are ones active at the time. These will
> have *correct* md5 hashes, so your check does nothing.
>
>>Sound reasonable? Or is session info secure enough anyway? Its not a D.O.D
>>site or anything, but might as well make it right from outset...
>
> One thing you can do: time out existing sessions, and DON'T DEPEND
> ON PHP TO DO IT FOR YOU. Store the login time in the session and
> check for expiration on each page along with checking for a valid
> login. Make the session time as short as practical without
> inconveniencing legitimate users. You might want to use the "last
> hit time" rather than login time, so sessions stay active if the
> user keeps clicking, but die if they walk away from their computer.
> This lets you make the timeout quite a bit shorter. Beware, though,
> that if users post stuff they may take quite a bit of time composing
> what they post, and get irritated if their session times out.
>
> If session security is better than user password security, the
> hacker will go after the user's password (which gets him in
> permanently, rather than for a short time).
>
> Gordon L. Burditt


Thanks for the pointers Gordon.
As you say, if user's passwords are hopeless then all of your other security
becomes somewhat redundant!
James

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация