[thelist] php login security (was: Call html page with php)
Andrew Forsberg
andrew at thepander.co.nz
Wed Feb 20 06:01:01 CST 2002
> i have done on about fifteen community websites i have produced in php 3,
> before session variables were available. process follows:
PHP 3 or PHP 4 is beside the point, cookies for session ids and
authorization use have been around for more than a few years.
> // check login
> if (login is valid) {
> $loginOK = "yes"
> } else {
> $loginOK = "no"
> }
>
> so, the querystring value for $loginOK is irrelevant.
Hold on a minute: do you mean that the username and password are getting
bandied about somehow (GET/POST) to each page following initial
authorization? And *then* processed on each page? The overhead wouldn't be
too much I guess (although it's inelegant), but why keep passing the
username and pass back and forth? (Assuming you were serious about not using
session variables this would be a necessary consequence.)
> > Not testing for a variable within an explicitly stated scope is:
> > 1) lazy, 2) asking for trouble. Especially when dealing with logins.
>
> i disagree. using your argument, you have to set every variable as a
session
> argument, simply because a variable can be set in the query string?
It doesn't have to be a session variable -- that's just a convenient way to
store a user's logged-in status. It means the program doesn't have to do a
database query on every single page within a sensitive area (assuming the
user/pass info is in a db) then decide whether or not the user is valid,
even though the user has logged in already. It also means you don't have to
pass the user/pass from page to page <shudder/> via POST or GET variables.
If the $loginOK variable is only for internal processing use on one page
then there is no issue. I guess I was concerned at the idea this would get
sent via POST/GET schemes and used for further authorization on other pages
(that would be silly).
What are the advantages of reauthenticating a user on each page? (Sorry it's
well past midnight here, so I am likely a bit slow off the mark.)
Cheers
Andrew
More information about the thelist
mailing list