Re: [phplib-users] current status of phplib
Brought to you by:
nhruby,
richardarcher
From: Layne W. <la...@dr...> - 2007-07-19 18:33:38
|
>It always seemed sensible to me which is why I've used it. But after >googling on the subject it seems that even this is not as secure as >you might think, it only obscures things a bit better. It should >still be combined with SSL. This link ><http://www.ietf.org/internet-drafts/draft-newman-auth-scram-04.txt> >sounds pretty similar to what phplib does. I think I am by no means >an expert on these things, but phplib's auth seems much closer to >secure (by far) than any other php authentication I've seen -- unless >I am missing something. Thanks for the link. CRC gives a nice security benefit for very=20 little effort, but it's not a panacea. I am baffled when I see people implementing HTTP auth for their=20 web app (or not protecting themselves from SQL injection). >>>I am desperately in need of cross-site authentication functionality, >>>which it looks like it was discussed but never implemented, and I >>>haven't seen any easy to use implementations in php. >> >>There are different levels of cross-site authentication that >>have been discussed on this list from running multiple sites on >>the same servers to sharing logins with a site under another >>organization's control. I've implemented cross-site >>authentication for sites hosted on the same servers a couple >>times myself - it is trivial to build with auth_preauth(), >>passing authentication tokens (stored temporarily in the DB) via >>a hidden iframe or riding as parameters on a transparent gif request. > >it seems like an easy enough concept but I have had trouble getting it to >work.. Why don't you start a new thread with the details - at least a=20 couple of us can take a look. --=20 Layne Weathers |