Re: the "correct" way to login. - Mailing list pgsql-php
From | Cássio Alexandre Pereira de Castro |
---|---|
Subject | Re: the "correct" way to login. |
Date | |
Msg-id | 008301c0ad49$b9dd9ba0$4905a8c0@bh.embare.com.br Whole thread Raw |
In response to | Re: Re: Re: Secure pages ("Martin A. Marques" <martin@math.unl.edu.ar>) |
List | pgsql-php |
I use this solution too, in order to authenticate my users.... My users/password table is into a PostgreSQL database. Cassio. ----- Original Message ----- From: "Andrew Hammond" <drew@waugh.econ.queensu.ca> To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: Thursday, March 15, 2001 7:37 AM Subject: [PHP] the "correct" way to login. > On Wed, Mar 14, 2001 at 02:39:28AM +0100, Christian Marschalek wrote: > > > Horrible idea!! Even with an encrypted password. Use PHP > > > sessions, and save > > > any info on the session (this is saved on a temp file on the > > > server, and only > > > the session handle is passed to the browser). > > The HTTP protocol provides userid/password based authentication. > Using cookies or hidden variables in a form while a popular > approach is not the correct way to do this. Furthermore, a lot > of people out there surf through a junk filter which will > probably not let your cookie through. Mine certainly won't. > > The solution is to use the HTTP auth stuff. You can do this > either using apache's Require dirrective at the server layer or > dirrectly in your scripts. > > To do it using apache, you need to edit your httpd.conf or > appropriate configuration file and put in something like the > following: > > <Dirrectory /foo> > AuthType Digest > AuthName "realm foo" > AuthUserFile /web/users > AuthGroupFile /web/groups > Require group admin > </Dirrectory> > > Or you could just put the stuff contained in the Dirrectory > stanza into a .htaccess file in the dirrectory you want to > restrict access too, however that is inefficient since the > .htaccess file needs to be stat'd ever time a page is accessed. > It also only allows dirrectory level granularity and it's a pain > in the ass to make the 401 message meaningfull. But it's > sufficient for many jobs and very fast. The apache approach also > supports the digest method giving some transportation security, > while the dirrect php approach does not. > > To do it in your script, dirrectly you need to pay attention > to $PHP_AUTH_USER and $PHP_AUTH_PW. For example: > > if(!isset($PHP_AUTH_USER)) { > Header("WWW-Authenticate: Basic realm=\"sis_access\""); > Header("HTTP/1.0 401 Unauthorized"); > include ( 'denied.html' ); // or you could redirrect > exit; > } > > Then test the password the same way. Passwords should (obviously) > be stored in an encrypted format (MD5 is suitable, or you can just > use good old DES crypt). This will provide you with localized > security. For transport level security you can either use the > digest method for authentication, or if you're really serious, an > SSL connection. Of course if you're _really_ serious you're going > to be using x509 cert's and public key crypto, not some rinky dink > password based system. > > > > System Administration: It's a dirty job, > > Then you're doing it wrong. > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster >