<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.emailstyle17
{font-family:Arial;
color:windowtext;}
span.emailstyle18
{font-family:Arial;
color:navy;}
span.EmailStyle19
{font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>That helps a ton. That is actually a lot
like the system I was picturing, except you’ve obviously done a bit more
thought on the expiration side of the problem. I’m very leery about coupling
the system with client IP matching, just because of the poor sods on AOL and
MSN, and all the fun proxy things both services do.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>SSL is a definite, but the problem that I
worry about, but few others seem to, is the problem of a valid user executing a
privilege escalation. And that is what most systems I see seem to leave wide
open.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Everyone who codes a website service seems
to end up writing their own session system. Let me take that back, I’ve
seen session systems that are supposed to be able to plug into anything you
want to create, but again, they just don’t seem that secure. There should
be a nice, paranoid custom database driven session framework in open source,
and then we could have a great time tying all the nice web services out there
into the same backend without going insane.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Speaking of paranoid, how’s this?</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>function sessionid()</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>{</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>// The purpose of this function is to
generate a 110 digit,</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>// case sensitive alphanumeric session ID
for the purpose of</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>// tracking active logins. It uses
multiple entropy sources.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>// Generating large random numbers can be
resource intensive,</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>// So the upper limit of the random
numbers can be tuned to </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>// provide the right balance of
uniqueness, and system performance.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Generate a unique ID based on the server clock</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $uid_clock=uniqid(1);</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Generate a random number called $rand_num1</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $rand_num1=rand(1,
1000000000000);</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Generate a random number called $rand_num2</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $rand_num2=rand(1,
1000000000000);</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Calculate a md5 hash of each random number separately</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $rand_hash1=
md5($rand_num1);</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $rand_hash2=
md5($rand_num2);</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Generate user_remote_info based on the client ip and port, if they exist.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $user_remote_info
= $_SERVER['REMOTE_ADDR'].$_SERVER['REMOTE_PORT'];</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Calculate a hash based on the remote user info</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $user_remote_hash=
md5($user_remote_info);</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
Combine the above hashes, and unique id's to create a relatively</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> #
unique and hard to guess string</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> $nsessionid=
$rand_hash1.$uid_clock.$rand_hash2.$user_remote_hash;</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> return
$nsessionid;</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>}</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Tillman, James
[mailto:JamesTillman@fdle.state.fl.us] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, May 16, 2003 1:31 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Phillip Tyre;
tallahassee-pm@mail.pm.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [Tallahassee-pm] PHP
authentication</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Yes, the silence has been
unfortunate. I've been up to my ears in work these last few weeks.</span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>In my own previous work,
I have been able to go a little further than simply setting a cookie in the
browser and trusting it from then on. What I've done in the past with my
own security systems was:</span></font></p>
</div>
<p class=MsoNormal style='margin-left:1.0in;text-indent:-.25in'><font size=2
face=Symbol><span style='font-size:10.0pt;font-family:Symbol'>·<font
size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></font><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Create a large randomized
string (20 chars min.) and use that value as a session key (I call
it a "ticket"),which gets stored in the database as being tied
to a particular user, and is then sent to the browser as a cookie along
with another cookie indicating the username.</span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:-.25in'><font size=2
face=Symbol><span style='font-size:10.0pt;font-family:Symbol'>·<font
size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></font><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Each "ticket"
has an expiration time of about 15 minutes (not an actual HTTP cookie
expiration time, but a time my code keeps track of). This time can be as long
or short as you want, depending on how paranoid you are.</span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:-.25in'><font size=2
face=Symbol><span style='font-size:10.0pt;font-family:Symbol'>·<font
size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></font><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Each time the browser
accesses the web app, my server side code verifies that the cookie value
matches the current ticket that is stored in the database for that user (or
that is cached on the web server somehow -- it doesn't have to be a database,
see Apache::Session), and that the "ticket" hasn't expired. </span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:-.25in'><font size=2
face=Symbol><span style='font-size:10.0pt;font-family:Symbol'>·<font
size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></font><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>If the ticket has
expired, a new one is generated, stored in the db, and issued to the browser
without the user being any the wiser.</span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:-.25in'><font size=2
face=Symbol><span style='font-size:10.0pt;font-family:Symbol'>·<font
size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></font><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>If an invalid ticket is
passed in, all valid sessions for that user are deleted, and the user is asked
to log in again.</span></font></p>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>The end result is that it
becomes very difficult for someone to hijack a user's session because they must
be able to send in the usercode cookie and the ticket cookie, which is
very hard to guess. Even if they manage to do that, they'll only get 15
minutes (or whatever I've set the expiry to be) before they blow up the session
and force a login, since either their browser or the legitimate user's browser
will send an invalid ticket once a new one gets issued and the system will kick
them both out.</span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>This has worked very well
for me in the past, and when coupled with a method for IP address
matching, it becomes even more secure.</span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Essentially, if you need
more security than this, I'd say it's time to add SSL into the mix.</span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>hope this helps!</span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>jpt</span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'> </span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
.5in'><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> -----Original
Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Phillip Tyre
[mailto:phillip.tyre@fcul.com]<br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, May 16, 2003 2:16 PM<br>
<b><span style='font-weight:bold'>To:</span></b> tallahassee-pm@mail.pm.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Tallahassee-pm] PHP
authentication</span></font></p>
</div>
<blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 3.0pt;
margin-left:3.0pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal style='margin-left:.5in'><font size=3 color=navy
face="Times New Roman"><span style='font-size:12.0pt;color:navy'>Has anyone had
any experience with a custom perl, or PHP based authentication framework using
mysql as the back end? I've done some looking, but all the ones I've seen tend
to make the same basic assumptions. Once you authenticate the user, and set a
cookie, then you can trust all the cookies that are set for that user (admin
status, username, etc).</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>I'm really looking for
something more secure, where the actual session table in the database would
hold the permissions, and based on a matching session, the table would be
queried to retrieve the permissions.</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Am I way off base on
this?</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Phillip Tyre</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>P.S. This message brought
to you because of the heavy silence this list has experienced since the last
time I posted.</span></font></p>
</blockquote>
</div>
</body>
</html>
�