PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Preventing Web Attacks with Apache
Regular Expressions
Reading RSS feeds in PHP: Part 2
Anacom
The web of services: using XML_RPC

Re: [phplib] question about functionality of phplib From: Max A. Derkachev (kot <email protected>)
Date: 01/30/01

Next message: Max A. Derkachev: "Re[2]: [phplib] question about functionality of phplib"
Previous message: A.C.N.S. Information and News: "[phplib] PHPLib and frames examples?"
In reply to: aellist: "[phplib] question about functionality of phplib"
Next in thread: John Sutton: "Re: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello aellist,

Monday, January 29, 2001, 11:12:59 PM, you wrote:

a> The problem is that the usernames and passwords are passed in plain text
a> between the browser and the server, which defeats the purpose of server-side
a> security for my purposes (for which security is crucial).
a> I can set up the site with SSL - but this won't always apply, for various
a> reasons (and I want to just improve my understanding of PHP in general).
a> So, assuming SSL cannot be used, what are the various ways to pass encrypted
a> data from the browser to the server?

PHPLib has an option for the Auth class - look in the default
local.inc for Challenge_Crypt_Auth. In short, it sends a key
(challenge) to a client, and IF the client has javascript enabled, an
MD5 hash of a combination of username, password and challenge will be
computed by a javascript program at client side, and username and this hash will be sent back to
the server instead of plain password.
While this approach make your app more secure, you should not
completely rely on it. It does not protect you from the
man-at-the-middle attack. If the security is crucial, seriously
consider using SSL-enabled web server.

a> Is this the sort of thing that phplib
a> is designed for? (I thought so, but I have become unsure of this
a> assumption.)
No. PHPLib is designed to make developers' life easier, not only with
authentication. :)

a> And how well does phplib integrate with PHP 4?
There are some approaches in the current CVS now. I wrote one of the
Session class using php4 sessions implementation. It can be downloaded
at http://phplib.netuse.de/cgi/cvsweb.cgi/php-lib/php/session/session4_custom.inc

-- Best regards, Max A. Derkachev mailto:kot <email protected> Symbol-Plus Publishing Ltd. phone: +7 (812) 324-53-53 http://www.Books.Ru -- All Books of Russia �

--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>

Next message: Max A. Derkachev: "Re[2]: [phplib] question about functionality of phplib"
Previous message: A.C.N.S. Information and News: "[phplib] PHPLib and frames examples?"
In reply to: aellist: "[phplib] question about functionality of phplib"
Next in thread: John Sutton: "Re: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]