phpsecuresite-devel Mailing List for phpSecureSite
Status: Alpha
Brought to you by:
egrinake
Menu
▾
▴
phpsecuresite-devel — List for development discussion
You can subscribe to this list here.
| 2002 |
Jan
(7) |
Feb
|
Mar
(3) |
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|---|
|
From: Erik G. <er...@wi...> - 2002-09-05 20:04:27
|
phpSecureSite 0.0.3 is released. You can get it from SourceForge at http://sourceforge.net/projects/phpsecuresite/ This release doesn't have many major changes to the system, instead the focus has been on extending the features already present in the system. Here is a list of some of the changes : - Improved the phpss_auth() and phpss_login() interfaces (returns various error codes) - Added a logging subsystem - Implemented a handful of events for logging and in preparation for the upcoming module subsystem - You can now set the database server port for connections - Removed the demo site - Documentation improvements As always, read the full documentation. And remember that the system is not ready for production use at all, so if you use it for anything serious you are on your own. |
|
From: Erik G. <er...@wi...> - 2002-06-16 18:18:17
|
phpSecureSite is now available through SourceForge CVS. This allows several developers to easily collaborate on the project, and users can download bleeding-edge development snapshots. The CVS repository has been split up into four separate projects. These are : database SQL database structures demo Demo site docs Documentation phpss The phpSecureSite system For more info on accessing the CVS repository go to the project home page at http://www.sourceforge.net/projects/phpsecuresite For more info on CVS in general you should take a look at the book "Open Source Development with CVS" by Karl Fogel. It is available online at http://cvsbook.red-bean.com/ --=20 Erik Grinaker Freelance UNIX/Linux systems consultant "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
|
From: Erik G. <er...@wi...> - 2002-06-16 16:50:01
|
phpSecureSite version 0.0.2 is finally out. After a small "mishap" with the development server two months of work was lost, which is the reason for the five month delay since version 0.0.1. Development will probably be a bit more fast-paced now, with new releases once a month or so. To download it go to the project homepage at http://www.sourceforge.net/projects/phpsecuresite --=20 Erik Grinaker Freelance UNIX/Linux systems consultant "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
|
From: Erik G. <er...@wi...> - 2002-03-26 00:38:30
|
Hmmmm, forgot to CC the list. In case anyone is interested -----Forwarded Message----- > From: Erik Grinaker <er...@wi...> > To: "Woolhiser, Eric" <Eri...@bm...> > Subject: RE: [phpSecureSite-devel] New version postponed > Date: 25 Mar 2002 23:22:10 +0100 >=20 > On Mon, 2002-03-18 at 16:08, Woolhiser, Eric wrote: >=20 > > "Only wimps use tape backups: real men upload their important stuff=20 > > on ftp, and let the rest of the world mirror it." > > - Linus B. Torvalds >=20 > Haha, so true :D >=20 > Would have, if I had only gotten 0.1 done. >=20 >=20 > > Just put it up in sourceforge CVS, and make a weekly tarball. >=20 > Great idea. I've been playing with the thought for some time. That would > also allow interested parties to follow the development process. >=20 > I'll just need to learn how to use it first - but that should be too > much of a problem. >=20 > --=20 >=20 > Erik Grinaker > Freelance UNIX/Linux systems consultant >=20 > "Perfection is acheived not when there is nothing more to add, but > rather when there is nothing more to take away" > - Antoine de Saint-Exup=E9ry >=20 |
|
From: Woolhiser, E. <Eri...@bm...> - 2002-03-18 15:09:09
|
> The first thing I'll do when I begin development again is to set up a
> good backup-system so I'll never have to go through this again.
"Only wimps use tape backups: real men upload their important stuff
on ftp, and let the rest of the world mirror it."
- Linus B. Torvalds
Just put it up in sourceforge CVS, and make a weekly tarball.
|
|
From: Erik G. <er...@wi...> - 2002-03-17 23:59:11
|
I have managed to delete the whole phpSecureSite development tree, and the latest backup is a month old. This means that the new release will be postponed a month or two while I reimplement the lost code. 0.1 may be out around May 1. 2002. @#$&%!!! Here's a list of some new features for you to drool over until the new version is out ; - Fully modularized system, based on events and handlers. This allows third-party developers to write their own plug-in modules - Whole system rewritten into the new module system. Modules include - Core system (minimal session handling) - Logging subsystem - Session variables (also persistent (intersession) vars) - IP access control - Brute force protection - Extensive documentation in DocBook SGML, rendered to HTML, PDF, PostScript or pretty much any other format - New demo site which demonstrates all the phpSecureSite functionality - Complete abstraction of the database Although there is still a long way to go before it is ready for real-world use it has grown considerably since version 0.0.1, and my ambitions for the system is constantly increasing. I think that within a year it will be a highly secure and functional security system for web-apps which should be ready for use in environments where security is a top priority, for example online banking-services or ecommerce-sites. The first thing I'll do when I begin development again is to set up a good backup-system so I'll never have to go through this again. --=20 Erik Grinaker Freelance UNIX/Linux systems consultant "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
|
From: Erik G. <er...@wi...> - 2002-01-19 18:34:04
|
Well, I'm going to start working on version 0.0.2 any day now, and would like some feedback on the new features I've got planned. The todo-list currently contains ; - don't use err_page variables, make phpss_auth() return error values instead - add some basic user functions (get current user id, get userinfo by id etc) - add ip limitations (user xx can only log in from ips yy and zz - spoofable, but still a nice feature) - add LDAP/NIS authorization (depends on code submission from Jeff Hoover) - add logging subsystem - modularize function-libraries (so only required libraries need to be loaded) - shell scripts to be run from cron for log and session data backups/cleanups - add session variables - add abstraction for database, set table and column names as variables in settings.php - use phpss_ prefix for database table-names - make generic database layer? (postgresql/oracle/whatever compatability. sql rewrite needed?) --=20 Erik Grinaker UNIX/Linux systems consultant Elan IT Resource - www.elanit.no "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
|
From: Woolhiser, E. <Eri...@bm...> - 2002-01-07 15:17:55
|
To quote Raymond: "13. How Fine a Gift? There are consistent patterns in the way the hacker culture values contributions and returns peer esteem for them. It's not hard to = observe the following rules: 1. If it doesn't work as well as I have been led to expect it will, = it's no good -- no matter how clever and original it is. Note the `led to expect'. This rule is not a demand for perfection; = beta and experimental software is allowed to have bugs. It's a demand that the = user be able to accurately estimate risks from the stage of the project and = the developers' representations about it. This rule underlies the fact that open-source software tends to stay in = beta for a long time, and not get even a 1.0 version number until the = developers are very sure it will not hand out a lot of nasty surprises. In the closed-source world, Version 1.0 means ``Don't touch this if you're prudent.''; in the open-source world it reads something more like ``The developers are willing to bet their reputations on this.''" http://tuxedo.org/~esr/writings/homesteading/homesteading/x284.html > -----Original Message----- > From: Erik Grinaker [mailto:er...@ch...] > Sent: Friday, January 04, 2002 21:39 > To: Woolhiser, Eric > Cc: 'phpSS' > Subject: Re: [phpSecureSite-devel] Don't mean to be a nag... >=20 >=20 > On Fri, 2002-01-04 at 20:59, Woolhiser, Eric wrote: >=20 > > When can we see some of the source code?=20 >=20 > Well, I've completely rewritten the system for the first=20 > public release, > and I don't plan on making any further changes for version 0.0.1. All > that remains is writing up some documentation, but this will take a > little while. >=20 > I guess a release sometime early next week should be pretty = realistic. >=20 > Version 0.0.1 is still kind of immature, and the only reason for > releasing it is to get some feedback from the community. I've=20 > still got > a few issues I'd like to have someone else's opinions on, but=20 > it's much > easier to suggest changes when you have something to look at. >=20 > Even though the system is fully usable, there still are some rather > important features which needs to be added for it to be a full-blown > session-handling system. And I cannot guarantee future=20 > versions will be > backwards-compatible either, so I wouldn't use it for anything > important. >=20 >=20 > --=20 >=20 > Erik Grinaker > UNIX/Linux systems consultant > Elan IT Resource - www.elanit.no >=20 > "Perfection is acheived not when there is nothing more to add, but > rather when there is nothing more to take away" > - Antoine de Saint-Exup=E9ry >=20 >=20 |
|
From: Erik G. <er...@ch...> - 2002-01-05 02:39:48
|
On Fri, 2002-01-04 at 20:59, Woolhiser, Eric wrote: > When can we see some of the source code?=20 Well, I've completely rewritten the system for the first public release, and I don't plan on making any further changes for version 0.0.1. All that remains is writing up some documentation, but this will take a little while. I guess a release sometime early next week should be pretty realistic. Version 0.0.1 is still kind of immature, and the only reason for releasing it is to get some feedback from the community. I've still got a few issues I'd like to have someone else's opinions on, but it's much easier to suggest changes when you have something to look at. Even though the system is fully usable, there still are some rather important features which needs to be added for it to be a full-blown session-handling system. And I cannot guarantee future versions will be backwards-compatible either, so I wouldn't use it for anything important. --=20 Erik Grinaker UNIX/Linux systems consultant Elan IT Resource - www.elanit.no "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
|
From: Woolhiser, E. <Eri...@bm...> - 2002-01-04 20:00:22
|
Well maybe I do. When can we see some of the source code? I'm gonna do some reading on dynamic HTML, but if this project doesn't get started soon, I'll have to roll my own so I can get back to work on MidWatch. I still don't know enough PHP to have any reason not to use the embedded session() functions, and if I go through effort of writing that and it works, I probably won't be around here any time soon. -- Eric Woolhiser NT Build Meister http://midwatch.org/pgp-key.html http://www.bmc.com http://www.tuxedo.org/~esr/ecsl |
|
From: Erik G. <er...@ch...> - 2002-01-02 17:38:10
|
On Wed, 2002-01-02 at 17:53, Woolhiser, Eric wrote: > OK, I gota ask, what do you think is wrong with using the session functio= ns? > If you are going to support sessions but not use the embedded functions, = it > sounds like you wish to re-invent the wheel here.=20 > Wouldn't phpSecureSite be more likely to thrive as an open source project= if > the code used the standard tool sets? Ah, glad you asked :) I'm gonna give a quite lengthy explanation of this in the docs, but I'll try to give a (somwehat) boiled-down explanation here; The main reason for not using the session()-family is because I find it to be lacking the flexibility I need for my apps - both with regard to security, and functionality. And underlying my reasoning for this is that I find that having a clean, consistent and smart database, and then writing dumb code for it, makes the system smaller, more expandable, cleaner and easier to understand. In fact, the whole reason for this project is that I found the session()-family to be lacking, and I'm therefore writing an alternative to php's session-handling system. Here are some of the reasons why I find the php built-in session handling to be insufficient : I want the whole system to be based on a database (as opposed to the server's memory), so it's possible to attach log entries to sessions, which in turn are attached to accounts. As the project progresses I might also be able to add tracking functionality, allowing the site admin to generate statistics based on session activity. I have already added support for IP checking, to prevent session hijacking. This requires that alot of the session data is already stored in a database, so I didn't see any reason not to base the whole system on databases, instead of using a merger of php's session()-family and my own system. I believe that sessions wasn't introduced to php before version 4, so those who use php3 should be able to get session-handling through my system (although this has not been verified). And I'm also quite the control-freak, and like to have close to absolute power over my scripts. :) To modify the way the php session system works, you need to modify the php C sources, while my system relies on rather low-level php functions, making it easier to modify. Of course this has its backsides. Since my system relies 100% on databases for data storage it will require a bit more resources and a fast i/o subsystem (depending on the number of concurrent users), but I think this is an acceptable tradeoff for the (coming) functionality and security. In addition, the php session system allows for session based on POST/GET vars and other methods of preserving data. This should not be a problem to include in phpSecureSite, but until then the system requires the use of cookies. If you, or anyone else, have any thoughs on this, please let me know. Suggestions are always more than welcome. --=20 Erik Grinaker UNIX/Linux systems consultant Elan IT Resource - www.elanit.no "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
|
From: Woolhiser, E. <Eri...@bm...> - 2002-01-02 16:53:25
|
> -----Original Message----- > From: Erik Grinaker > Sent: Tuesday, January 01, 2002 15:07 > To: Woolhiser, Eric > > Yep, this is also the kind of scenario I'm designing the project for. > Large companies etc building a secure wep-app probably have developers > who are more than capable of handling the task themselves. > What I'd like > phpSecureSite to be is a quick and easy way for your average Joe Q. > Webmaster to add *secure* authentication and session-handling to their > webapp. Although I've seen all too many "professionally" made webapps > with a terrible, terrible, terrible security-scheme - which is why I > don't use php's session() family of functions, and rely on a > built-from-scratch session handling scheme, so that it can be easily > integrated into more complex applications, and fine-tuned to > perfection. > > As the system is today all you need is rw-access to the > filesystem (via > ftp or whatever) and full access to a mysql database. > OK, I gota ask, what do you think is wrong with using the session functions? If you are going to support sessions but not use the embedded functions, it sounds like you wish to re-invent the wheel here. Wouldn't phpSecureSite be more likely to thrive as an open source project if the code used the standard tool sets? |
|
From: Erik G. <er...@ch...> - 2002-01-01 20:07:13
|
On Mon, 2001-12-31 at 15:29, Woolhiser, Eric wrote: > I've got some real life grungy things to do today ...like resurrect a sys= tem > that bluescreens while booting... I've read your note on GPL. I use GPL f= or > midwatch.org and the last time I read it, it allows you to use the open > source code anyway you like, but it does not allow redistribution of the > code unless you open all of your code that you mixed in with the open sou= rce > code you got. Yeah, that's how I thought it worked. I'll just give it a quick look though, just to be sure... > Thus a e-commerce company could use your code as part of thier website, a= nd > keep the whole website closed as long as they didn't distribute the site. Perfect! > I see by your quote of Antoine de Saint-Exup=E9ry, that you very likely h= ave > read Eric Raymond. It's helpful to speak the same language. ;) Hehe, sure have. I guess we have a pretty equal perspective on things at least, which is nice :) > Picture the Webmaster who is a little code savy, wants PHP dynamic conten= t, > but is renting space on some websever where he doesn't have total admin > control over the server. >=20 > It may be that PHPSecureSite will be a quick and easy way for him to buil= d a > website that would track users and allow logins and stuff. Can we constru= ct > a system were such a webmaster could make use of PHPSecureSite while only > having limited admin control? Assume that the webmaster has been granted > full access to at least one MySQL database on the server. Yep, this is also the kind of scenario I'm designing the project for. Large companies etc building a secure wep-app probably have developers who are more than capable of handling the task themselves. What I'd like phpSecureSite to be is a quick and easy way for your average Joe Q. Webmaster to add *secure* authentication and session-handling to their webapp. Although I've seen all too many "professionally" made webapps with a terrible, terrible, terrible security-scheme - which is why I don't use php's session() family of functions, and rely on a built-from-scratch session handling scheme, so that it can be easily integrated into more complex applications, and fine-tuned to perfection. As the system is today all you need is rw-access to the filesystem (via ftp or whatever) and full access to a mysql database. > Anyway, if you want to use the mail lists on source forge you should star= t > using them.=20 > While this message isn't really a release announcement, I am cc:ing it th= ere > because you don't have a developers mail list set up. Well, there is now; phpsecuresite-devel. This message is CC'ed there, and I suggest we conduct future discussions there. > (and BTW, there is no conspiracy) http://www.tuxedo.org/~esr/ecsl Haha, that is *so* cool :) Better sign up right away (and yes, I *will* get you your coolness-point for recruiting me :)). --=20 Erik Grinaker UNIX/Linux systems consultant Elan IT Resource - www.elanit.no "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
