Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Giancarlo <gia...@na...> - 2002-12-07 02:52:41
|
Rob Hutton wrote: > This is the beginning of something better. Buth auth should NEVER be done > in a cascade fashion. The should ALWAYS be a control structure. The API say that the checking of the input is to be done in the two auth_validatelogin() and auth_doregister() functions. Note that they are both in local.inc. These functions should return false if the input fields are not provided of wrong or false. Otherwise process the fields. The fields used to be named 'username' ans 'password' in the login form. 'username', pass1','pass2' in the register form. We only provide an example for the login suite, auth_validatelogin ansd loginform.ihml though The missin couple, auth_doregister() and registerform.ihtml that you used for your tests surely had the pwd name 'password' instead of 'pass1', so if you submitted had different names that pass1, and i guess you named the password field just 'password' as in the login form ;-) Anyway what I call cascade is not cascade, and the check_request() function I lately added to use as switch for a control structure, apart from being a 'pre-duplicate' of what (the tests on the input) has already to be done in the two local.inc's function, the only two places where a user was supposed to place his hands in all, for anything related to login and register Note that, in plus, this is placed inside the main class. and not in local.inc. Sorry, I won't change that 'cascade'. Gian Secondly, > there need to be more insertion points. The concept that auth is a abstract > class is a good one IMO. Elimination of local.inc would be a mistake > because now, as long as the API remains backwards compatable, you can drop > local.inc into a newer version of PHPLib and not loose and customization. > > One other thing, everyone please keep discussion on the list and not in > private. There has evidently been a fair amount of off list work going on > that when it hits the list causes much discussion. I appreciate that there > are people that are working on certain modules and have control over them, > but we need to make sure that the changes made to PHPLib make sense for and > to the community. > > Rob Hutton > Web Safe > www.wsafe.com > > ********************************************************************** > > Introducing Symantec Client Security - Integrated Anti-Virus, > Firewall, and Intrusion Detection for the Client. > > Learn more: > http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > > > >>-----Original Message----- >>From: Giancarlo [mailto:gia...@na...] >>Sent: Thursday, December 05, 2002 12:05 PM >>To: rob...@ws... >>Subject: Re: [Phplib-users] store the IP in the session >> >> >>I thought about auth. Yesterday I sent Joe this new start structure that >>allows both, structured and,if not, default cascade. It also allows >>calling the single action with start("authenticate"9, if specified. >> >>Gian >> >>Rob Hutton wrote: >> >>>>-----Original Message----- >>>>From: php...@li... >>>>[mailto:php...@li...]On Behalf Of Giancarlo >>>>Sent: Thursday, December 05, 2002 6:49 AM >>>>To: phplib-users >>>>Subject: Re: [Phplib-users] store the IP in the session >>>> >>>> >>>>Kristian Koehntopp wrote: >>>> >>>>>Somebody who does not use session cookies, but forces us to use >>>>>GET parameters does not want to be secure, either. Again, we can >>>>>code around that, but it is useless and bloats our code. >>>>> >>>> >>>>Yes, but also we should explain very clearly, to ourselves first, that >>>>using session cookies too, is prone to being forced into using GET... as >>>>I am not sure yet there is a strong technical explaination. >>>>So I'd add a $sticky_mode session variable to prevent ar allow >>>>mode shifts. >>>> >>> >>>That's a question of configuration. If you don't want it to fallback to >>>get, then don't enable that. I think it should be defined clearer, >>>something like $mode = array("cookie", "get", "post") (vs. the current >>>$fallback_mode) because this would allow new modes to be added and a >>>preference list built ($mode = array("cert", "cookie")) where cert is an >>>extension of cookie that handles pki authentication. But you >> >>can already >> >>>prevent mode shifts. >>> >>>Secondly, if this is going into the current snapshot auth, Joe >> >>and I have >> >>>some very real problems with the unstructured approach. These >> >>need to be >> >>>addressed before further work is done. I will post the one I >> >>modified to >> >>>the patches area today. >>> >>>Rob Hutton >>>Web Safe >>>www.wsafe.com >>> >>>********************************************************************** >>> >>>Introducing Symantec Client Security - Integrated Anti-Virus, >>>Firewall, and Intrusion Detection for the Client. >>> >>>Learn more: >>>http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 >>> >>> >>> >> >> > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > |
