 |
 |
 |
 |
|
|
Date: 05/09/01
- Next message: Garry Dunn: "[phplib] Control of a browsing computer's serial port?"
- Previous message: fabrizio.ermini <email protected>: "Re: Sv: [phplib] occasional problem with authentication"
- In reply to: James Johnson: "[phplib] Security issue with PHPLib?"
- Next in thread: Alex Black: "Re: [phplib] Security issue with PHPLib?"
- Reply: Alex Black: "Re: [phplib] Security issue with PHPLib?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 9 May 2001, at 10:21, James Johnson wrote:
> index.php3?test_Session=aea0664793ba8fba59c7e46f2f2eebe6
>
> if I add ?something on the end:
>
> index.php3?teknet_Session=aea0664793ba8fba59c7e46f2f2eebe6?a
>
> a Mysql error is generated as follows:
>
> Database error: Invalid SQL: insert into active_sessions ( sid, name, val,
> changed ) values ('aea0664793ba8fba59c7e46f2f2eebe6?a', 'test_Session',
> 'dGVrbmV...Jzsg', '20010509100439')
> MySQL Error: 1062 (Duplicate entry
> 'test_Session-aea0664793ba8fba59c7e46f2f2eebe6' for key 1)
> Session halted.
>
> Doesn't this provide potentially useful information for someone
> trying to break into a site? I have always thought that one
> of the principals of security on the web is never to trust info
> from the client. Shouldn't the above problem be caught before
> the SQL query?
>
You're right about the "never trust" paradigm, and for this reason
"get" method session management should NEVER be used
whenever there is even a minor worry about security, since it's
extremely insecure by itself. Neither cookie method it's particularly
safe, but at least it's harder to tamper with.
Indeed, as it's stated in the docs, high security on the web requires
completely different techniques than those offered by PHPlib.
> A second question. I only use PHPLib for sessions and authentication,
> not any of the other stuff. What other options are available if you
> just want that functionality? Anyone know of any simpler classes
> that do the two things I require? I guess the ideal would be to use
> a backport of PHP4 sessions (such as that in Tobias Ratschiller's
> book Web App. Dev. with PHP4) with a suitable authentication/
> authorization class - that would give maximum flexibility using both
> PHP3 and 4. Any ideas?
>
I really am not able to think of a sess/auth approach simpler and
more general than PHPlib's, sorry :-)
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Fabrizio Ermini Alternate E-mail:
C.so Umberto, 7 faermini <email protected>
loc. Meleto Valdarno Mail on GSM: (keep it short!)
52020 Cavriglia (AR) faermini <email protected>
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>
- Next message: Garry Dunn: "[phplib] Control of a browsing computer's serial port?"
- Previous message: fabrizio.ermini <email protected>: "Re: Sv: [phplib] occasional problem with authentication"
- In reply to: James Johnson: "[phplib] Security issue with PHPLib?"
- Next in thread: Alex Black: "Re: [phplib] Security issue with PHPLib?"
- Reply: Alex Black: "Re: [phplib] Security issue with PHPLib?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]