Page 1 of 1
What is most secure?
Posted: Mon Aug 01, 2005 7:00 pm
by dwfait
What would be the most secure way to handle logins? Cookies, sessions or something else?
Re: What is most secure?
Posted: Mon Aug 01, 2005 7:05 pm
by Roja
dwfait wrote:What would be the most secure way to handle logins? Cookies, sessions or something else?
SSL.
No SSL? Then db-driven sessions.
No db-driven sessions? Then file-system sessions.
No Sessions? Then cookies.
No cookies? Go to the store and buy some Nestle Toll House, and get cooking. Yummmm.. Cooooookies.
Posted: Mon Aug 01, 2005 7:08 pm
by dwfait
Can you set up SSL on an apache system on your own computer for free? Or does SSL cost?
And if it costs, could you forward me to any tutorials on DB driven Sessions please?
Posted: Mon Aug 01, 2005 7:20 pm
by timvw
You would need to run apache-ssl..
The installer has a tool to generate a certificate, or you can get it at
http://www.cacert.org/ for free.
Posted: Mon Aug 01, 2005 7:35 pm
by dwfait
Could i run Apache-SSL along side a normal Apache websever or would i need to replace it with it?
Posted: Mon Aug 01, 2005 7:43 pm
by timvw
Read the documentation at
http://httpd.apache.org? (Yes, you can run them both)
Posted: Mon Aug 01, 2005 8:08 pm
by dwfait
:'(
Apache SSL is only available for apache 1.x and on Linux only. I got the latest stable 2.x on a windows box. Guess its DB driven sessions then..
Posted: Mon Aug 01, 2005 9:04 pm
by Roja
dwfait wrote::'(
Apache SSL is only available for apache 1.x and on Linux only. I got the latest stable 2.x on a windows box. Guess its DB driven sessions then..
Apache2 (on linux and unix) has ssl available. Your phrasing made that a little hard to grasp, so .. wanted to clarify that.
Didn't know that there wasn't ssl for apache2 on windows. Odd.
Posted: Mon Aug 01, 2005 9:05 pm
by Ambush Commander
Wait, what's with the "Db_driven sessions"? How does that work?
Posted: Mon Aug 01, 2005 9:14 pm
by Roja
Ambush Commander wrote:Wait, what's with the "Db_driven sessions"? How does that work?
http://phplens.com/lens/adodb/docs-session.htm
Learn it, live it,
love it.
The idea is that all the session information is stored in a database - NOT on the filesystem. On a shared host, its a fantastic improvement in security.
Even on a host where you control the filesystem and the database, it puts another layer of protection in front of an attacker.
Beyond the security, it allows you to have one web front end, and a cluster of database servers behind it. With filesystem-based sessions, thats much trickier.
Beautiful stuff. Adodb even offers encryption AND compression for session information, for an even bigger win!
Posted: Mon Aug 01, 2005 9:25 pm
by Ambush Commander
Neat.
Maybe I should stop using PEAR's DB class and use Adodb?
Posted: Mon Aug 01, 2005 10:19 pm
by Roja
Ambush Commander wrote:Neat.
Maybe I should stop using PEAR's DB class and use Adodb?
There are advantages to each.
For me, there was no choice - all my code is under the GPL, and PEAR's DB class is under the PHP License - which is incompatible with the GPL. So I could not use it with my code, or my chosen license.
Of course, the adodb-xmlschema, encrypted/compressed sessions, insanely great performance monitoring, and db-driven sessions all were delicious icing on top.
Posted: Tue Aug 02, 2005 6:46 am
by shoebappa
Apache 2 on windows doesn't come with SSL precompiled, but you can compile it, or download precompiled Binaries from:
http://hunter.campbus.com/