RE: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] store the IP in the session
|
From: Rob H. <rob...@ws...> - 2002-12-04 18:56:17
|
> Hi Kristian, good to see that you are still watching your baby phplib! :) > > > increment $sess->seq in page_open() as soon as you instantiated > wahhh, and this would also cause problems in frame-based sites which have > pages which do not call page_close() at the end. We once had discussion > about this. That would require to shift the generation of the new hash in > page_close instead, being less secure again... This could be easily addressed by maintaining a list of unique, non-incremental ids that are valid for a certain period of time, exactly the way IP does it. The scheme wouldn't even have to be blocking, and could allow multiple frames to use the same ID as long as it was within the lifetime of the list. The problem is that this does nothing to tie the session to a certain machine. The only way to do this is with public key authentication. Like SecureID does, and hopefully DNSSec will do also in the future. Or, if it is a higher security environment now, so like Kristian says and get a key from a PKI authority. I am talking about easy to use and cheap stuff that does not require the user to do anything. > > I'd also support SSL instead, that would make much easier phplib-wise. All > these concerns about securing the session would be handed over to the SSL > part. But on the other hand one knows that into SSL one could break in as > well... There was another thread about this some weeks ago. But probably > one could never make phplib sessioning as secure as SSL is right from the > start... I guess. Without some sort of universal PKI scheme, you are correct. There is just no reliable way to tie to a specific person/machine. > > Why not to finish all these IP discussions then? Let's simply trigger the > user to use SSL for safer sessions, which is fairly easy to do if you've > got your own secure apache running. > > These auth things seem to be quite settled already. Shouldn't we focus > more now on a new phplib4 cvs release which could be based on the snapshot > on sf and deploy that in a user-friendly manner? > > Marko > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Microsoft Visual Studio.NET > comprehensive development tool, built to increase your > productivity. Try a free online hosted session at: > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > Rob Hutton Web Safe www.wsafe.com ********************************************************************** Introducing Symantec Client Security - Integrated Anti-Virus, Firewall, and Intrusion Detection for the Client. Learn more: http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 |
