Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.
I am trying to secure a members section. I am thinking to combine http-authentication with custom mysql session handling.
I was thinking follwoing would work but I am not sure if there can be any problem.
The session vars would be saved in a Mysql database including IP, Hostname, Timestamp etc. A garbage routine would go over this table every 15 min to delete the expired session entries.
Does any of you have an idea how I can solve the AOL proxy problem? In my model an AOL user would have to authenticate every time he clicks a link and his IP changed.
I was thinking that if a user has cookies disabled I still have the user/Ip/Host check to logout someone that uses an open browser of e.g. coworker.
The members section will be completly in SSL. It does not generate much bandwidth but the data is sensible.
If a user for example logs in at a public Internet terminal that has cookies disabled and the browser stays open the http-authentification will let anybody on that uses the history to access this section.
If I check against a database that also has the username, ip, even if the session_id is useless (due to the disabled cookies) I can still disable the access after a short period.
Since you have a session garbage collector already, that would clear a large amount of coworkers getting into stuff.. (as long as your time-to-live is somewhat short)
Last edited by feyd on Wed Jul 14, 2004 3:45 am, edited 1 time in total.
AGISB wrote:But this means the session_id is in the URL. Wouldn't that mean a bigger security risk?
Yes - but that might be acceptable depending on how high your security needs are.
As you have mentioned, you can't use IP to identify a user. You can however use sessions. If a session already exists for a particular user profile you can prevent someone else logging in with the same password at the same time. A custom session handler makes that easier - a quick db check.
Mind you, if someone else does have the password, there's nothing to stop them logging in later when the valid user has logged off. If you managed to identify a compromised password, privileges should be removed from that profile until the valid user has registered a new pass.
AGISB wrote:I was thinking that if a user has cookies disabled I still have the user/Ip/Host check to logout someone that uses an open browser of e.g. coworker.
A lot of companies use a singel IP address on their PROXY displaying the same IP regardless of the user.