[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cookie-over-HTTPS vs HTTP authentication
|
From: |
Davi Leal |
|
Subject: |
Re: Cookie-over-HTTPS vs HTTP authentication |
|
Date: |
Fri, 9 May 2008 19:26:09 +0200 |
|
User-agent: |
KMail/1.9.7 |
Chris Carpita wrote:
> Basic auth is more or less fool-proof, best for internal audiences,
> and it is encrypted only over SSL.
The current authentication procedure is working as follows:
1. The user fill email+password in the log-in form.
2. The submit button send via HTTPS the email+password information:
<form name="LogForm" method="post" action="https://gnuherds.org/";>
Ref.: Layer-0__Site_entry_point/templates/log_in_box.tpl
3. The email+password is checked against the database:
Ref.: Layer-2__Business_logic/others/Log_form.php
If the email+password is right the webapp set several PHP session
variables:
* 'Logged' to '1' to record the user is rightly logged.
$_SESSION['Logged'] = '1';
* 'LoginEmail' to identify what user is logged.
$_SESSION['LoginEmail']
4. In the next HTTPS request the user's browser will send
the PHPSESSID cookie to the Apache server.
The PHPSESSID cookie is only accepted if it has been sent
over HTTPS. That is forced with the below php.ini configuration
setting:
session.cookie_secure = 1
Ref.:
http://es2.php.net/manual/en/session.configuration.php#ini.session.cookie-secure
Every page which requires the user being authenticated to be able to
access, has the below check:
// We have to use SSL for encryption of the password, PHPSESSID, etc.,
// because else it is sent to the web server as plain text.
// Insert the following code sniped into the top of secure page.
if ( $_SESSION['Logged'] == '1' and ( !isset($_SERVER['HTTPS']) or
$_SERVER['HTTPS'] != 'on' ) )
{
header("Location: https://$_SERVER[SERVER_NAME]$_SERVER[REQUEST_URI]";);
exit;
}
Ref.: Layer-0__Site_entry_point/*.php
There are other security meassure on some of the PHP configuration options
exposed at http://gnuherds.org/doc/conf/php.ini
IMHO the current authentication method is secure. What do you think? Any fix,
any better option?
- Re: DB vs FS based webapp architectures -- web 2.0 -- RSS, etc., (continued)
- Re: DB vs FS based webapp architectures -- web 2.0 -- RSS, etc., Dave Crossland, 2008/05/19
- Re: web 2.0, Davi Leal, 2008/05/19
- Re: OpenID, Davi Leal, 2008/05/31
- Re: DB vs FS, Davi Leal, 2008/05/08
- Re: DB vs FS, Dion Rasmussen, 2008/05/09
- Re: cookies vs http authentication, Davi Leal, 2008/05/08
- Re: cookies vs http authentication, Dion Rasmussen, 2008/05/09
- Re: cookies vs http authentication, Chris Carpita, 2008/05/09
- Re: Cookie-over-HTTPS vs HTTP authentication,
Davi Leal <=