Re: Rp.: Re: Rp.: Re: Rp.: Re: [Phplib-users] Doc suggestions
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: Rp.: Re: Rp.: Re: Rp.: Re: [Phplib-users] Doc suggestions
|
From: Maxim D. <max...@bo...> - 2002-07-09 14:52:17
|
Hello Giancarlo, G> Ok, but this was the most'mundane' and less significant among a series of other questions: G> -don't you beleive that, among these various propagations, cookies offer more guarantees Yes, they do. G> -is it right to downgrade everybody's security to the minimum common of those who have cookies disabled, whith an effect exactly opposite of their reason to do so. Shouldn't it be more right G> then to confine that to only those who cannot afford a better way? Security downgraded only for those who don't accept cookies and take the risk of session being hijacked if urls they get are stolen from the remote proxy logs or published in the Internet. Nevertheless, sessions of the cookie-enabled clients can also be easily hijacked by a local person who knows how to use a sniffer and has an ability to use it. Both problems can be easily resolved by one thing - SSL. I don't forget some obvious things that strengthen security much more than cookie-only session, like reasonably short session and auth expiration. G> -what other session mngmnt allows arbitrary id creation and what can be a honest use of it? Well, if it is a bug, It can be easily fixed in PHP. Though, I don't see any dishonest use of it either. How the fact a session with id 'foo' is created can be a security hole? G> -what about issue a new session and move to it after authenticating? But what for? You'll get the new socks with the same old holes :) It adds some security through obscurity, nothing more - the session's insecurity is built-in and inherited. G> -what about keeping track of sess creation date & initial mode, and consider a G> change of mode at the same level as a new client (mode coherence?). Could you be more precise? I haven't caught the idea ... G> - what is the use of the auth['uid']='form' status, if not better security? I guess, It's just an intermediate state. Not quite sure ... -- Best regards, Maxim Derkachev mailto:max...@bo... IT manager, Symbol-Plus Publishing Ltd. phone: +7 (812) 324-53-53 www.books.ru, www.symbol.ru |
