Access Control Theory

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Access Control Theory

Post by AGISB »

I am trying to secure a members section. I am thinking to combine http-authentication with custom mysql session handling.
I was thinking follwoing would work but I am not sure if there can be any problem.

Image

The session vars would be saved in a Mysql database including IP, Hostname, Timestamp etc. A garbage routine would go over this table every 15 min to delete the expired session entries.

Does any of you have an idea how I can solve the AOL proxy problem? In my model an AOL user would have to authenticate every time he clicks a link and his IP changed.

Thanks

Andy
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

why not, have a valid session, and whatnot.. you bypass the other junk?
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

I was thinking that if a user has cookies disabled I still have the user/Ip/Host check to logout someone that uses an open browser of e.g. coworker.

The members section will be completly in SSL. It does not generate much bandwidth but the data is sensible.

If a user for example logs in at a public Internet terminal that has cookies disabled and the browser stays open the http-authentification will let anybody on that uses the history to access this section.
If I check against a database that also has the username, ip, even if the session_id is useless (due to the disabled cookies) I can still disable the access after a short period.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

session id can be passed around without cookies..

Since you have a session garbage collector already, that would clear a large amount of coworkers getting into stuff.. (as long as your time-to-live is somewhat short)
Last edited by feyd on Wed Jul 14, 2004 3:45 am, edited 1 time in total.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

But this means the session_id is in the URL. Wouldn't that mean a bigger security risk?
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

I might add, that I need an IP check anyhow to check for multiple logins with the same password.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the cookie data is passed on every call, that's pretty much the same often..
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

AGISB wrote:But this means the session_id is in the URL. Wouldn't that mean a bigger security risk?
Yes - but that might be acceptable depending on how high your security needs are.

As you have mentioned, you can't use IP to identify a user. You can however use sessions. If a session already exists for a particular user profile you can prevent someone else logging in with the same password at the same time. A custom session handler makes that easier - a quick db check.

Mind you, if someone else does have the password, there's nothing to stop them logging in later when the valid user has logged off. If you managed to identify a compromised password, privileges should be removed from that profile until the valid user has registered a new pass.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

AGISB wrote:I was thinking that if a user has cookies disabled I still have the user/Ip/Host check to logout someone that uses an open browser of e.g. coworker.
A lot of companies use a singel IP address on their PROXY displaying the same IP regardless of the user.

Therefore, this wouldn't do you much good.
Post Reply