On Wed, Mar 14, 2001 at 02:39:28AM +0100, Christian Marschalek wrote:
> > Horrible idea!! Even with an encrypted password. Use PHP
> > sessions, and save
> > any info on the session (this is saved on a temp file on the
> > server, and only
> > the session handle is passed to the browser).
The HTTP protocol provides userid/password based authentication.
Using cookies or hidden variables in a form while a popular
approach is not the correct way to do this. Furthermore, a lot
of people out there surf through a junk filter which will
probably not let your cookie through. Mine certainly won't.
The solution is to use the HTTP auth stuff. You can do this
either using apache's Require dirrective at the server layer or
dirrectly in your scripts.
To do it using apache, you need to edit your httpd.conf or
appropriate configuration file and put in something like the
following:
<Dirrectory /foo>
AuthType Digest
AuthName "realm foo"
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin
</Dirrectory>
Or you could just put the stuff contained in the Dirrectory
stanza into a .htaccess file in the dirrectory you want to
restrict access too, however that is inefficient since the
.htaccess file needs to be stat'd ever time a page is accessed.
It also only allows dirrectory level granularity and it's a pain
in the ass to make the 401 message meaningfull. But it's
sufficient for many jobs and very fast. The apache approach also
supports the digest method giving some transportation security,
while the dirrect php approach does not.
To do it in your script, dirrectly you need to pay attention
to $PHP_AUTH_USER and $PHP_AUTH_PW. For example:
if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"sis_access\"");
Header("HTTP/1.0 401 Unauthorized");
include ( 'denied.html' ); // or you could redirrect
exit;
}
Then test the password the same way. Passwords should (obviously)
be stored in an encrypted format (MD5 is suitable, or you can just
use good old DES crypt). This will provide you with localized
security. For transport level security you can either use the
digest method for authentication, or if you're really serious, an
SSL connection. Of course if you're _really_ serious you're going
to be using x509 cert's and public key crypto, not some rinky dink
password based system.
> > System Administration: It's a dirty job,
Then you're doing it wrong.
