[Phplib-trackers] [ phplib-Patches-575379 ] Giancarlo's secure session suite
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-trackers] [ phplib-Patches-575379 ] Giancarlo's secure session suite
|
From: <no...@so...> - 2002-06-29 14:47:19
|
Patches item #575379, was opened at 2002-06-29 14:47 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=403613&aid=575379&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Giancarlo Pinerolo (pingus) Assigned to: Nobody/Anonymous (nobody) Summary: Giancarlo's secure session suite Initial Comment: The base is the new session.inc. MAjor changes are in session.inc and auth->start method -upon login, the session content will be cloned into a NEW session, which will then become THE session in use. It works for both cookie and get mode, included fallback_mode=get This will stop cookie poisoning and takeovers, because the second session will be unknown to an attacker or a snooper, and the initial session will not hold any authentication. The auth class needed to be modified too, to ordere the cloning of the session after auth_validatelogin and auth_registerform. The one included is based on my 'simplified auth->start' patch (see patches at phplib on sf), as I refuse to put my hands into the old auth->start crappy method. But if you want to base yourself on the oriignal auth->start, go and figure out where to place the changes. Somewhere after calling auth_validaytelogin and auth_doregister... -Thit new auth class provides for easy management of login/reg forms within fancy boxes, and has all the client interaction moved out to page.inc (mode=reg/log, auth[uid]='form/nobody' etc) for easy manipulation. No more cancel_login , auth[uid]=nobody, hardcoded mode/reg mode, auth[uid]=form intermediate state. This simple auth can be dropped into any phplib and work as before (splash the login form), except the cancel_login, which no more exists ;-))). It can also be used, with a particuler page.inc provided, to handle login forms in a 'deferred' way (defer the output of the login form), displayed within fancy boxes later in the page, without blocking any other browser instance of auth. For this auth to work, you also need to include the modified page.inc, where all the 'interaction with the client' has moved. Because now my auth->start method only returns UID/false, and the interaction is handled by page.inc. I have also uploaded an example of page.inc and showoff.php3 that provide a 'deferred' output of the login form, instead of the 'splash' behavior of phplib There is also some docu aboiut this auth in the README.And maybe there's some TODO... In session.inc I have tried to rationalize the get_id method, and split it into two sub-helper methods called 'extract_id' and 'èpropagate_id', but the workings and usage is not changed ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=403613&aid=575379&group_id=31885 |
