Re: HTTP authentication

On Sun, 2001-04-29 at 05:44, Christian Marschalek wrote:
> > I just wrote an auth library that uses sessions and
> > stores passwords encrypted in the database. I am fairly new
> > to PHP (tho experienced in other web devel technologies) so
> > it might need improvements, but it works very well for me.
>
> I'm fairly new to PHP myself but I have like 4 years expirience with C
> and C++. I would check out if your library can be improved if you want
> me to.
>
> But for my project I'll use sessions without cookies because I can't
> rely on the users having the feature turned on in their browsers.

Don't forget that there are serious flaws in the URL rewriting approach
as well which are not present in the cookie approach :-(

Our company recently implemented a site where one of the more
egotistical coders was militantly anti-cookie and as a result we ended
up with URL rewriting (auth was not an option in this case).

As a result we ended up with people e-mailing (rewritten) URL's to
friends, or pasted (rewritten) URL's into ad serversand so forth. A few
days after we went live we had one session that was receiving a
substantial part of the traffic, and that session was saving user data
which was mutating in interesting ways.

On top of that, we finally ended up implementing cookies because it
turned out we needed more persistence of data than URL rewriting can
offer. The session code is _still_ crapola IMNSHO because it uses the
rewriting by preference, rather than treating the cookie as 'best'.

The PHP session code gets this _right_ by preferring cookies and falling
back to URL rewriting _if_it_has_to_ for those reasons.

Sure, cookies are some sort of security problem, but so are bookmarks
and history, not to mention page caches! If you wouldn't put it in a
URL, then don't put it in a cookie, by all means, but it is debatable
(and configurable) which hangs around on a users hard disk for the
longest. I know my browser history (i.e. URL coded information) is
currently set for three months, but if I get a session cookie it is gone
when I close my browser down - something I usually have to do every few
days.

All that I put in a cookie is an encrypted hashed value. Everything
else is derivable at the server end. I also only ever set one cookie,
and associate all information with that, again at the server.

Regards,
Andrew.
--
--------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267