Sessions and security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

mat106 wrote:It doesn't need to know which OTP to use since it runs through all values of OTP using

Code: Select all

while($row = mysql_fetch_array($get_OTP, MYSQL_BOTH))
that would work but wouldnt it be impractical?
mat106
Forum Newbie
Posts: 16
Joined: Wed Aug 31, 2005 2:52 am

Post by mat106 »

If you were expecting hundreds of visitors and all at the same time then yes it would be impractical but i'm only expecting a small number of users at any given moment and as i've mentioned they all have the same username and password (due to the nature of the project) so no.

I'm more troubled at the moment by the fact that the script doesn't work rather than the practicality!! Can you (or anyone) see why this is the case?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

See my PM.

The salt if stored can be different for all users - aren't we forgetting each user has a unique session_id? So use that for storing specific salts ;)
mat106
Forum Newbie
Posts: 16
Joined: Wed Aug 31, 2005 2:52 am

Post by mat106 »

Maugrim_The_Reaper wrote:See my PM.
You haven't sent me a PM.

The salt is different for each user. Each user gets a uniques salt when they visit (or refresh) the login page which is meant to get stored in the database. But as i've said none of this is actually the problem (at the moment). The problem is that 2147483647
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

Maugrim_The_Reaper wrote:See my PM.

The salt if stored can be different for all users - aren't we forgetting each user has a unique session_id? So use that for storing specific salts ;)
each page you visit, is the output of session_id() supposed to change?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

The session_id is fixed for all users once they visit any page where session_start() is called. It is different for all users, so can be used as a temporary unique ID. Sessions allow data to be carried from page to page by the server without resorting to cookies or hidden form fields or GET appendages.

lol..I sent a PM to someone...wrong link maybe? In any case see the tutorial attached to mein sig.
Post Reply