What is most secure?
Moderator: General Moderators
What is most secure?
What would be the most secure way to handle logins? Cookies, sessions or something else?
Re: What is most secure?
SSL.dwfait wrote:What would be the most secure way to handle logins? Cookies, sessions or something else?
No SSL? Then db-driven sessions.
No db-driven sessions? Then file-system sessions.
No Sessions? Then cookies.
No cookies? Go to the store and buy some Nestle Toll House, and get cooking. Yummmm.. Cooooookies.
You would need to run apache-ssl..
The installer has a tool to generate a certificate, or you can get it at http://www.cacert.org/ for free.
The installer has a tool to generate a certificate, or you can get it at http://www.cacert.org/ for free.
Read the documentation at http://httpd.apache.org? (Yes, you can run them both)
Apache2 (on linux and unix) has ssl available. Your phrasing made that a little hard to grasp, so .. wanted to clarify that.dwfait wrote::'(
Apache SSL is only available for apache 1.x and on Linux only. I got the latest stable 2.x on a windows box. Guess its DB driven sessions then..
Didn't know that there wasn't ssl for apache2 on windows. Odd.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
http://phplens.com/lens/adodb/docs-session.htmAmbush Commander wrote:Wait, what's with the "Db_driven sessions"? How does that work?
Learn it, live it, love it.
The idea is that all the session information is stored in a database - NOT on the filesystem. On a shared host, its a fantastic improvement in security.
Even on a host where you control the filesystem and the database, it puts another layer of protection in front of an attacker.
Beyond the security, it allows you to have one web front end, and a cluster of database servers behind it. With filesystem-based sessions, thats much trickier.
Beautiful stuff. Adodb even offers encryption AND compression for session information, for an even bigger win!
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
There are advantages to each.Ambush Commander wrote:Neat.
Maybe I should stop using PEAR's DB class and use Adodb?
For me, there was no choice - all my code is under the GPL, and PEAR's DB class is under the PHP License - which is incompatible with the GPL. So I could not use it with my code, or my chosen license.
Of course, the adodb-xmlschema, encrypted/compressed sessions, insanely great performance monitoring, and db-driven sessions all were delicious icing on top.
Apache 2 on windows doesn't come with SSL precompiled, but you can compile it, or download precompiled Binaries from: http://hunter.campbus.com/