Re: [Phplib-users] a more secure session class
Brought to you by:
nhruby,
richardarcher
From: Giancarlo <gia...@na...> - 2002-06-29 15:00:02
|
I have uploaded the whole as a patch to sf, named 'Giancarlo's suite'. As I said, I bapplied the auth modifications to my 'rationalized auth->start' method. But essentially $sess->clone() has to be called after any auth_validatelogin or auth_doregister, somewhere in that unmaintainable auth->start method. I am curious to hear from you. Gian Il 15:18, sabato 29 giugno 2002, Joe Stewart ha scritto: > Hello, > > The changes sound reasonable and needed, I'd like to test and check them > out. Can you send a patch? > > > thanks, > > Joe > > On Sat, Jun 29, 2002 at 01:50:05PM +0200, Giancarlo wrote: > > Hi > > I've finished writing and testing a new session and auth classes whose > > major changes are: > > > > -upon login, the session content will be cloned into a NEW session, which > > will then become THE session in use. It works for both cookie and get > > mode, included fallback_mode=get > > > > This will stop cookie poisoning and takeovers, because the second session > > will be unknown to an attacker or a snooper, and the initial session will > > not hold any authentication. > > > > The modified auth class is based on my 'simplified auth->start' patch > > (see patches at phplib on sf), as I refuse to put my hands into the old > > auth->start crappy method. > > > > -That new auth class provides for easy management of login/reg forms > > within fancy boxes, and has all the client interaction moved out to > > page.inc (mode=reg/log, auth[uid]='form/nobody' etc) for easy > > manipulation. No more cancel_login , auth[uid]=nobody, hardcoded mode/reg > > mode, auth[uid]=form intermediate state. > > This simple auth can be dropped into any phplib and work as before > > (splash the login form), except the cancel_login, which no more exists > > ;-))). It can also be used, with a particuler page.inc provided, to > > handle login forms in a 'deferred' way (defer the output of the login > > form), displayed within fancy boxes later in the page, without blocking > > any other browser instance of auth. > > > > If anyone is interested I'll produce a patch of it all. > > > > Giancarlo > > > > > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > No, I will not fix your computer. > > http://thinkgeek.com/sf > > _______________________________________________ > > Phplib-users mailing list > > Php...@li... > > https://lists.sourceforge.net/lists/listinfo/phplib-users |