Re: [phplib-users] current status of phplib

[Layne W. <la...@dr...>]

>It always seemed sensible to me which is why I've used it.  But after
>googling on the subject it seems that even this is not as secure as
>you might think, it only obscures things a bit better.  It should
>still be combined with SSL.  This link
><http://www.ietf.org/internet-drafts/draft-newman-auth-scram-04.txt>
>sounds pretty similar to what phplib does.  I think I am by no means
>an expert on these things, but phplib's auth seems much closer to
>secure (by far) than any other php authentication I've seen -- unless
>I am missing something.

Thanks for the link. CRC gives a nice security benefit for very=20
little effort, but it's not a panacea.

I am baffled when I see people implementing HTTP auth for their=20
web app (or not protecting themselves from SQL injection).



>>>I am desperately in need of cross-site authentication functionality,
>>>which it looks like it was discussed but never implemented, and I
>>>haven't seen any easy to use implementations in php.
>>
>>There are different levels of cross-site authentication that
>>have been discussed on this list from running multiple sites on
>>the same servers to sharing logins with a site under another
>>organization's control. I've implemented cross-site
>>authentication for sites hosted on the same servers a couple
>>times myself - it is trivial to build with auth_preauth(),
>>passing authentication tokens (stored temporarily in the DB) via
>>a hidden iframe or riding as parameters on a transparent gif request.
>
>it seems like an easy enough concept but I have had trouble getting it to
>work..

Why don't you start a new thread with the details - at least a=20
couple of us can take a look.

--=20

Layne Weathers