[Phplib-users] a more secure session class
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] a more secure session class
|
From: Giancarlo <gia...@na...> - 2002-06-29 11:53:48
|
Hi I've finished writing and testing a new session and auth classes whose major changes are: -upon login, the session content will be cloned into a NEW session, which will then become THE session in use. It works for both cookie and get mode, included fallback_mode=get This will stop cookie poisoning and takeovers, because the second session will be unknown to an attacker or a snooper, and the initial session will not hold any authentication. The modified auth class is based on my 'simplified auth->start' patch (see patches at phplib on sf), as I refuse to put my hands into the old auth->start crappy method. -That new auth class provides for easy management of login/reg forms within fancy boxes, and has all the client interaction moved out to page.inc (mode=reg/log, auth[uid]='form/nobody' etc) for easy manipulation. No more cancel_login , auth[uid]=nobody, hardcoded mode/reg mode, auth[uid]=form intermediate state. This simple auth can be dropped into any phplib and work as before (splash the login form), except the cancel_login, which no more exists ;-))). It can also be used, with a particuler page.inc provided, to handle login forms in a 'deferred' way (defer the output of the login form), displayed within fancy boxes later in the page, without blocking any other browser instance of auth. If anyone is interested I'll produce a patch of it all. Giancarlo |
