Re: Re[2]: [phplib] Documentation on phplib From: Kristian Koehntopp (kris <email protected>)
Date: 10/09/00

In netuse.lists.phplib you write:
>- How to deal properly with security, among the amazing
> quantity of magick strings wich are the one to change, what are
> their role, should they be considered as password (changed
> every month ...)

The magic strings are a seed to the md5() generator. They need
not be changed regularly, they need only be kept secret in order
to make generated session ids harder to guess. The base of a
session id is md5(uniqid($this->magic)) and uniqid() uses the
Unix posix_getpid() and the Unix microtime() to generate a
unique id. If you happen to know the local time at the server,
you can severely limit the space of possible values in order to
guess a session id. With the magic value not known to an
attacker, this is much more difficult.

PHPLIB alone is not secure. You need to deply SSL in order to do
this.

>- What to do with all these $classname everywhere

The classname must be set to the name of your derived class in
order for the serialization of objects to work properly. Only
classes going into the session management need to set a
classname and a persistent_slots[] array.

See the information on serializing objects for details.

Kristian

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>