Re: HTTP authentication

> -----Original Message-----
> From: Andrew Hammond [mailto:drew(at)waugh(dot)econ(dot)queensu(dot)ca]
> Sent: Friday, April 27, 2001 8:21 PM
> To: Christian Marschalek
> Subject: Re: [PHP] HTTP authentication
>
> If you need _serious_ security, then you need to start
> thinking about using SSL and x.509 certificates.

I don't think the project needs to be THAT secure. But anyway, the SSL
stuff only secures my connection. I'd still need a way to control access
to my system, wouldn't I?

> Otherwise, you can reasonably use
> either the http auth stuff, which is probably the best approach,
> especially for a site that's got any kind of heavy usage or
> something based on PHP sessions. However be forewarned that
> the sessions stuff isn't exactly the most efficient and fast.

(either?:)

Well PHP auth and sessions is probably the right aproach. Which one
would be more efficient or faster?

Thanks and greetings Chris

On Fri, Apr 27, 2001 at 10:54:21PM +0200, Christian Marschalek wrote:

> > Otherwise, you can reasonably use
> > either the http auth stuff, which is probably the best approach,
> > especially for a site that's got any kind of heavy usage or
> > something based on PHP sessions. However be forewarned that
> > the sessions stuff isn't exactly the most efficient and fast.

What's the problem with sessions? Are they slow? I don't see why since
it just grabs the cookie from the browser and reads the appropriate file
from the sessions directory.

> Well PHP auth and sessions is probably the right aproach. Which one
> would be more efficient or faster?

I just wrote an auth library that uses sessions and stores passwords
encrypted in the database. I am fairly new to PHP (tho experienced in
other web devel technologies) so it might need improvements, but it works
very well for me.

-Roberto
--
+----| http://fslc.usu.edu USU Free Software & GNU/Linux Club |------+
Roberto Mello - Computer Science, USU - http://www.brasileiro.net
http://www.sdl.usu.edu - Space Dynamics Lab, Developer
let length(Long_Walk) > length(Short_Pier)

> I just wrote an auth library that uses sessions and
> stores passwords encrypted in the database. I am fairly new
> to PHP (tho experienced in other web devel technologies) so
> it might need improvements, but it works very well for me.

I'm fairly new to PHP myself but I have like 4 years expirience with C
and C++. I would check out if your library can be improved if you want
me to.

But for my project I'll use sessions without cookies because I can't
rely on the users having the feature turned on in their browsers.

Greets

On Sat, Apr 28, 2001 at 07:44:43PM +0200, Christian Marschalek wrote:
>
> I'm fairly new to PHP myself but I have like 4 years expirience with C
> and C++. I would check out if your library can be improved if you want
> me to.
>
> But for my project I'll use sessions without cookies because I can't
> rely on the users having the feature turned on in their browsers.

My library should be ok with cookies turned off since it's managed
through PHP4 sessions, which can use server-side or client-side cookies.
Let me finish my finals (next week) and refine it a little bit, then
I'll post it somewhere on my website and let the list know.
I also made yet another DB abstraction layer for PHP, modeled after
AOLserver's excellent DB layer. I was using PEAR bet everytime I accessed
a page using PEAR I had time to go buy a pizza and come back before the
query was done, so I decided to write my own.

-Roberto
--
+----| http://fslc.usu.edu USU Free Software & GNU/Linux Club |------+
Roberto Mello - Computer Science, USU - http://www.brasileiro.net
http://www.sdl.usu.edu - Space Dynamics Lab, Developer
A little inaccuracy sometimes saves tons of explanation. -- H. H. Munroe

On Sun, 2001-04-29 at 05:44, Christian Marschalek wrote:
> > I just wrote an auth library that uses sessions and
> > stores passwords encrypted in the database. I am fairly new
> > to PHP (tho experienced in other web devel technologies) so
> > it might need improvements, but it works very well for me.
>
> I'm fairly new to PHP myself but I have like 4 years expirience with C
> and C++. I would check out if your library can be improved if you want
> me to.
>
> But for my project I'll use sessions without cookies because I can't
> rely on the users having the feature turned on in their browsers.

Don't forget that there are serious flaws in the URL rewriting approach
as well which are not present in the cookie approach :-(

Our company recently implemented a site where one of the more
egotistical coders was militantly anti-cookie and as a result we ended
up with URL rewriting (auth was not an option in this case).

As a result we ended up with people e-mailing (rewritten) URL's to
friends, or pasted (rewritten) URL's into ad serversand so forth. A few
days after we went live we had one session that was receiving a
substantial part of the traffic, and that session was saving user data
which was mutating in interesting ways.

On top of that, we finally ended up implementing cookies because it
turned out we needed more persistence of data than URL rewriting can
offer. The session code is _still_ crapola IMNSHO because it uses the
rewriting by preference, rather than treating the cookie as 'best'.

The PHP session code gets this _right_ by preferring cookies and falling
back to URL rewriting _if_it_has_to_ for those reasons.

Sure, cookies are some sort of security problem, but so are bookmarks
and history, not to mention page caches! If you wouldn't put it in a
URL, then don't put it in a cookie, by all means, but it is debatable
(and configurable) which hangs around on a users hard disk for the
longest. I know my browser history (i.e. URL coded information) is
currently set for three months, but if I get a session cookie it is gone
when I close my browser down - something I usually have to do every few
days.

All that I put in a cookie is an encrypted hashed value. Everything
else is derivable at the server end. I also only ever set one cookie,
and associate all information with that, again at the server.

Regards,
Andrew.
--
--------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267