I'm writing authentication code.
Is there any possible way one can access/alter/erase my session data through browser (Or any kind http connection)
Is sending password and username as post data as "secure"
as sending http auth headers to browser? (And thus getting passwords and usernames.)
If I understand correctly php sessions use cookies to store session id in client side? This is possible security threat too, right?
My idea is to check passwords and usernames only once and set a flag like $_SESSION["all_ok"] = "TRUE"; Then I can check only that variable, and if that is ok I can continue to execute script. (Checking happens as first thing in a page.) Also I thought about setting a cookie that contains another id and time, if (servertime - cookie time) > 10 min stop session. So if all these three things (and possibly some more) are ok (flag, time, my own id) user is considered authenticated. Are there any obvious security threats that I'm missing?
Are there any reasons why I shouldn't store password and username to $_SESSION? If it really is secure, it is also safe to save anything there?
What are the advantages if I use Mohawk Softwares session handler?
$_SESSION
Moderator: General Moderators
- roninblade
- Forum Newbie
- Posts: 21
- Joined: Thu Jun 13, 2002 7:12 pm
here's a very good discussion i found over at the devshed php forums on PHP Security Issues. its a must read for newbies.
Mas en seguridad
Hey Roninblade,
I just read that bit on devshed about security and it is indeed something that should be talked about more in the community. Perhaps there should be a php faq on this topic, or even a web site dedicated to this.
As for the question
In my opinion, if you don't have a secure (https) connection, encrypt (hash) passwords client side. There are md4, md5, sha1, and I think Haval javascripts out there.
Oh well.......
Later on,
BDKR (TRC)
I just read that bit on devshed about security and it is indeed something that should be talked about more in the community. Perhaps there should be a php faq on this topic, or even a web site dedicated to this.
As for the question
I would say that neither of them are secure at all. I'm not 100% sure about http auth headers, but I know that using the POST method is only as secure as not showing the information in the url. However, a packet sniffer or something could easily read all the information that is sent from the form.Is sending password and username as post data as "secure"
as sending http auth headers to browser? (And thus getting passwords and usernames.)
In my opinion, if you don't have a secure (https) connection, encrypt (hash) passwords client side. There are md4, md5, sha1, and I think Haval javascripts out there.
Oh well.......
Later on,
BDKR (TRC)