Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

php ultranoob session question



On Mon, 31 Aug 2009, Eric Chadbourne wrote:

>> hi all.
>>
>> so i'm whipping up a log in system for a website instead of using
>> somebody else's.  i'm reading though the sessions documentation.
> being
>> as the session id is propagated via a cookie or the url is there any
>> advantage to using sessions with a basic authentication system.  at
> the
>> moment it appears everything sessions can do i can do via my own
>> hackery.  forgive my question if i'm missing something fundamental.
>> many thanks for any tips.  :-)
>
> I wrote up an authentication system in PHP over the weekend.  I didn't
> use sessions as they seem of no use for this.  It seems that if you're
> not using HTTPS the site is vulnerable, I'll deal with that later.  I
> just have the person log in, their password is in the db sha1, if both
> match they get a cookie random(6, 10), and insert into the db their IP
> and systime.  Every time they access a page the cookie, IP and time are
> checked.  All user input is sanitized.  Anything else I should consider?

Sounds like you just created your own new version of session handling 
without the years of experience gone into the native implementation.

Here's the OWASP top 10 list section on Authentication and Session 
Management.

http://www.owasp.org/index.php/Top_10_2007-A7

First item on the list:

# Only use the inbuilt session management mechanism. Do not write or use 
secondary session handlers under any circumstances.

--
Greg






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org