#30 Giancarlo's secure session suite

open
nobody
None
5
2002-06-29
2002-06-29
No

The base is the new session.inc.
MAjor changes are in session.inc and auth->start method

-upon login, the session content will be cloned into a
NEW session, which
will then become THE session in use. It works for both
cookie and get mode, included fallback_mode=get

This will stop cookie poisoning and takeovers, because
the second session
will be unknown to an attacker or a snooper, and the
initial session will not
hold any authentication.

The auth class needed to be modified too, to ordere the
cloning of the session after auth_validatelogin and
auth_registerform.

The one included is based on my 'simplified
auth->start' patch (see
patches at phplib on sf), as I refuse to put my hands
into the old
auth->start crappy method.

But if you want to base yourself on the oriignal
auth->start, go and figure out where to place the
changes. Somewhere after calling auth_validaytelogin
and auth_doregister...

-Thit new auth class provides for easy management of
login/reg forms within
fancy boxes, and has all the client interaction moved
out to page.inc
(mode=reg/log, auth[uid]='form/nobody' etc) for easy
manipulation. No more
cancel_login , auth[uid]=nobody, hardcoded mode/reg
mode, auth[uid]=form
intermediate state.
This simple auth can be dropped into any phplib and
work as before (splash
the login form), except the cancel_login, which no more
exists ;-))).
It can also be used, with a particuler page.inc
provided, to handle login
forms in a 'deferred' way (defer the output of the
login form), displayed
within fancy boxes later in the page, without blocking
any other browser
instance of auth.

For this auth to work, you also need to include the
modified page.inc, where all the 'interaction with the
client' has moved. Because now my auth->start method
only returns UID/false, and the interaction is handled
by page.inc.

I have also uploaded an example of page.inc and
showoff.php3 that provide a 'deferred' output of the
login form, instead of the 'splash' behavior of phplib

There is also some docu aboiut this auth in the
README.And maybe there's some TODO...

In session.inc I have tried to rationalize the get_id
method, and split it into two sub-helper methods called
'extract_id' and 'čpropagate_id', but the workings and
usage is not changed

Discussion

  • Session inc with clone() method

     
    Attachments
  • Clean auth.inc w/o client-interaction logic

     
    Attachments
  • page.inc with client-interaction, to work with auth.inc

     
    Attachments
  • example of page.inc for 'deferred' loginform showup

     
    Attachments
  • example showoff.php3 with 'deferred' loginform showup

     
  • the 'rationalized auth' README

     
    Attachments
  • TODO for the new.auth

     
    Attachments