Menu
▾
▴
Re: [Phpwiki-talk] Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1
|
From: Joby W. <joby@u.washington.edu> - 2003-12-15 20:03:33
|
Reini Urban wrote: > Joby Walker schrieb: > > Well, I'm not so concerned about security with this password issue, > since it's only a wiki. nothing serious. The wiki that I manage is quite critical and contains a lot of data we don't want to fall into hostile hands... > If I store sensitive data in cookies I do a symeteric encryption with a > secret key at the host, generated at install time. > but it's true that certain pref data shouldn't be stored in cookies: > passwd (for security), email (. just the basic prefs for username and > layout. > otherwise the user has to create a homepage. > okay? I still wouldn't do it this way. I would: Cookie: Contents = a 64 character hex number [md5(random data1) . md5(random data2)] SSL = configurable yes/no Expire = configurable Server Session Validation: Cookie Content ID Browser Used IP# Expiration Time If the cookie points to a valid session then the user is logged into as the saved (as a part of the session) username and given the associated saved preferences. This will allow for a more secure "auto-login" process -- if a cookie is compromised then it will contain no hard data (encrypted or not) with a fairly limited vulnerability window. And once the session attached to that cookie contents has expired -- the data is completely useless. And allows admins to dynamically set the expiration time of sessions (from never to very short times) even after the cookie has been set on the user's computer. > > but then we'll have to fix the login procedure also. > >> On a better note the classes look good. Having different classes with >> common methods will be very helpful for the future of phpwiki. I absolutely agree. My quibble is with an implimentation detail not the general architecture. These classes will make things MUCH easier. jbw |
