phplib-users

[Phplib-users] a more secure session class

[Giancarlo <gia...@na...>]

Hi
I've finished writing and testing a new session and auth classes whose major 
changes are:

-upon login, the session content will be cloned into a NEW session, which 
will then become THE session in use. It works for both cookie and get mode, 
included fallback_mode=get

This will stop cookie poisoning and takeovers, because the second session 
will be unknown to an attacker or a snooper, and the initial session will not 
hold any authentication.

The modified auth class is based on my 'simplified auth->start' patch (see 
patches at phplib on sf), as I refuse to put my hands into the old 
auth->start crappy method.

-That new auth class provides for easy management of login/reg forms within 
fancy boxes, and has all the client interaction moved out to page.inc 
(mode=reg/log, auth[uid]='form/nobody' etc) for easy manipulation. No more 
cancel_login , auth[uid]=nobody, hardcoded mode/reg mode, auth[uid]=form 
intermediate state.
This simple auth can be dropped into any phplib and work as before (splash 
the login form), except the cancel_login, which no more exists ;-))). 
It can also be used, with a particuler page.inc provided, to handle login 
forms in a 'deferred' way (defer the output of the login form), displayed 
within fancy boxes later in the page, without blocking any other browser 
instance of auth.

If anyone is interested I'll produce a patch of it all.

Giancarlo

Re: [Phplib-users] a more secure session class

[Giancarlo <gia...@na...>]

I have uploaded the whole as a patch to sf, named 'Giancarlo's suite'.
As I said, I bapplied the auth modifications to my 'rationalized auth->start' 
method.
But essentially $sess->clone() has to be called after any auth_validatelogin 
or auth_doregister, somewhere in that unmaintainable auth->start method.

I am curious to hear from you.


Gian


Il 15:18, sabato 29 giugno 2002, Joe Stewart ha scritto:
> Hello,
>
> The changes sound reasonable and needed, I'd like to test and check them
> out.  Can you send a patch?
>
>
> thanks,
>
> Joe
>
> On Sat, Jun 29, 2002 at 01:50:05PM +0200, Giancarlo wrote:
> > Hi
> > I've finished writing and testing a new session and auth classes whose
> > major changes are:
> >
> > -upon login, the session content will be cloned into a NEW session, which
> > will then become THE session in use. It works for both cookie and get
> > mode, included fallback_mode=get
> >
> > This will stop cookie poisoning and takeovers, because the second session
> > will be unknown to an attacker or a snooper, and the initial session will
> > not hold any authentication.
> >
> > The modified auth class is based on my 'simplified auth->start' patch
> > (see patches at phplib on sf), as I refuse to put my hands into the old
> > auth->start crappy method.
> >
> > -That new auth class provides for easy management of login/reg forms
> > within fancy boxes, and has all the client interaction moved out to
> > page.inc (mode=reg/log, auth[uid]='form/nobody' etc) for easy
> > manipulation. No more cancel_login , auth[uid]=nobody, hardcoded mode/reg
> > mode, auth[uid]=form intermediate state.
> > This simple auth can be dropped into any phplib and work as before
> > (splash the login form), except the cancel_login, which no more exists
> > ;-))). It can also be used, with a particuler page.inc provided, to
> > handle login forms in a 'deferred' way (defer the output of the login
> > form), displayed within fancy boxes later in the page, without blocking
> > any other browser instance of auth.
> >
> > If anyone is interested I'll produce a patch of it all.
> >
> > Giancarlo
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > No, I will not fix your computer.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Phplib-users mailing list
> > Php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phplib-users