RE: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] store the IP in the session
|
From: Rob H. <rob...@ws...> - 2002-12-06 13:25:49
|
This is the beginning of something better. Buth auth should NEVER be done in a cascade fashion. The should ALWAYS be a control structure. Secondly, there need to be more insertion points. The concept that auth is a abstract class is a good one IMO. Elimination of local.inc would be a mistake because now, as long as the API remains backwards compatable, you can drop local.inc into a newer version of PHPLib and not loose and customization. One other thing, everyone please keep discussion on the list and not in private. There has evidently been a fair amount of off list work going on that when it hits the list causes much discussion. I appreciate that there are people that are working on certain modules and have control over them, but we need to make sure that the changes made to PHPLib make sense for and to the community. Rob Hutton Web Safe www.wsafe.com ********************************************************************** Introducing Symantec Client Security - Integrated Anti-Virus, Firewall, and Intrusion Detection for the Client. Learn more: http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > -----Original Message----- > From: Giancarlo [mailto:gia...@na...] > Sent: Thursday, December 05, 2002 12:05 PM > To: rob...@ws... > Subject: Re: [Phplib-users] store the IP in the session > > > I thought about auth. Yesterday I sent Joe this new start structure that > allows both, structured and,if not, default cascade. It also allows > calling the single action with start("authenticate"9, if specified. > > Gian > > Rob Hutton wrote: > >>-----Original Message----- > >>From: php...@li... > >>[mailto:php...@li...]On Behalf Of Giancarlo > >>Sent: Thursday, December 05, 2002 6:49 AM > >>To: phplib-users > >>Subject: Re: [Phplib-users] store the IP in the session > >> > >> > >>Kristian Koehntopp wrote: > >> > Somebody who does not use session cookies, but forces us to use > >> > GET parameters does not want to be secure, either. Again, we can > >> > code around that, but it is useless and bloats our code. > >> > > >> > >>Yes, but also we should explain very clearly, to ourselves first, that > >>using session cookies too, is prone to being forced into using GET... as > >>I am not sure yet there is a strong technical explaination. > >>So I'd add a $sticky_mode session variable to prevent ar allow > >>mode shifts. > >> > > > > That's a question of configuration. If you don't want it to fallback to > > get, then don't enable that. I think it should be defined clearer, > > something like $mode = array("cookie", "get", "post") (vs. the current > > $fallback_mode) because this would allow new modes to be added and a > > preference list built ($mode = array("cert", "cookie")) where cert is an > > extension of cookie that handles pki authentication. But you > can already > > prevent mode shifts. > > > > Secondly, if this is going into the current snapshot auth, Joe > and I have > > some very real problems with the unstructured approach. These > need to be > > addressed before further work is done. I will post the one I > modified to > > the patches area today. > > > > Rob Hutton > > Web Safe > > www.wsafe.com > > > > ********************************************************************** > > > > Introducing Symantec Client Security - Integrated Anti-Virus, > > Firewall, and Intrusion Detection for the Client. > > > > Learn more: > > http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > > > > > > > > |
