Menu
▾
▴
[phpesp-dev] auth? manage_auth() , secure things
|
From: flobee <fl...@gm...> - 2003-08-13 16:56:50
|
hello all is it possible that there is a little miss-configuration on the authentification!? i got some reports from some authors (designer accouns) having problems staying loggend in. while checking the loginsystem (manage_auth()) i see some "if" statments which will never act: like: // see if ACL is cached -> the "password" is never placed in the the session! , as "session array" but not sticked in the session! is the password forgotten to stick it in or do passwords have notthing to do in the session cookie? im not sure about it i think at least it can be sticked in when having an own server , right!? else using the $server[PHP_AUTH_PW....!? another secure request is that there should be a "time limit" on the login procedure. my ISP gave me the information that most hack attacts start which the brutefoce on htaccess files. so with php its more simple!? and if you have no log mecanism you don´t know what people exactly do when you see alot of requests on your admin file like - http:// user : password @ sub . server . tld / phpesp / myfile.php or does the authentification do only work on webbrowsers? kind regards flobee |
