<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4923.2500" name=GENERATOR>
<STYLE>@font-face {
font-family: Wingdings;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.emailstyle17 {
COLOR: windowtext; FONT-FAMILY: Arial
}
SPAN.emailstyle18 {
COLOR: navy; FONT-FAMILY: Arial
}
SPAN.EmailStyle19 {
COLOR: navy; FONT-FAMILY: Arial
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0in
}
UL {
MARGIN-BOTTOM: 0in
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV><SPAN class=046085318-16052003><FONT face=Arial color=#0000ff size=2>Funny
you mention AOL. That's the very reason we disabled the IP checking in my
previous project. It was an internet-based project (not really the norm
for my current client), and we kept getting folks complaining about getting
kicked out! Good thinking on your part to avoid that
altogether.</FONT></SPAN></DIV>
<DIV><SPAN class=046085318-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=046085318-16052003><FONT face=Arial color=#0000ff size=2>As for
your sessionid() function, I'd say it's practically worthy of
appearing in a William S. Burroughs or Philip K. Dick novel. Plenty
paranoid!</FONT></SPAN></DIV>
<DIV><SPAN class=046085318-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=046085318-16052003><FONT face=Arial color=#0000ff
size=2>jpt</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Phillip Tyre
[mailto:phillip.tyre@fcul.com]<BR><B>Sent:</B> Friday, May 16, 2003 2:43
PM<BR><B>To:</B> tallahassee-pm@mail.pm.org<BR><B>Subject:</B> RE:
[Tallahassee-pm] PHP authentication<BR><BR></FONT></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">That helps a ton.
That is actually a lot like the system I was picturing, except you've
obviously done a bit more thought on the expiration side of the problem. I'm
very leery about coupling the system with client IP matching, just because of
the poor sods on AOL and MSN, and all the fun proxy things both services
do.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">SSL is a definite,
but the problem that I worry about, but few others seem to, is the problem of
a valid user executing a privilege escalation. And that is what most systems I
see seem to leave wide open.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Everyone who codes a
website service seems to end up writing their own session system. Let me take
that back, I've seen session systems that are supposed to be able to plug into
anything you want to create, but again, they just don't seem that secure.
There should be a nice, paranoid custom database driven session framework in
open source, and then we could have a great time tying all the nice web
services out there into the same backend without going
insane.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Speaking of paranoid,
how's this?</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">function
sessionid()</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">{</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">// The purpose of
this function is to generate a 110 digit,</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">// case sensitive
alphanumeric session ID for the purpose of</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">// tracking active
logins. It uses multiple entropy sources.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">// Generating large
random numbers can be resource intensive,</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">// So the upper limit
of the random numbers can be tuned to </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">// provide the right
balance of uniqueness, and system performance.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Generate a unique ID based on the server clock</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$uid_clock=uniqid(1);</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Generate a random number called $rand_num1</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$rand_num1=rand(1, 1000000000000);</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Generate a random number called $rand_num2</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$rand_num2=rand(1, 1000000000000);</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Calculate a md5 hash of each random number separately</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$rand_hash1= md5($rand_num1);</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$rand_hash2= md5($rand_num2);</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Generate user_remote_info based on the client ip and port, if they
exist.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$user_remote_info =
$_SERVER['REMOTE_ADDR'].$_SERVER['REMOTE_PORT'];</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Calculate a hash based on the remote user info</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$user_remote_hash= md5($user_remote_info);</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# Combine the above hashes, and unique id's to create a
relatively</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
# unique and hard to guess string</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
$nsessionid=
$rand_hash1.$uid_clock.$rand_hash2.$user_remote_hash;</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
return $nsessionid;</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">}</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original
Message-----<BR><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Tillman,
James [mailto:JamesTillman@fdle.state.fl.us] <BR><B><SPAN
style="FONT-WEIGHT: bold">Sent:</SPAN></B> Friday, May 16, 2003 1:31
PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> Phillip Tyre;
tallahassee-pm@mail.pm.org<BR><B><SPAN
style="FONT-WEIGHT: bold">Subject:</SPAN></B> RE: [Tallahassee-pm] PHP
authentication</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Yes, the
silence has been unfortunate. I've been up to my ears in work these last
few weeks.</SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">In my
own previous work, I have been able to go a little further than simply setting
a cookie in the browser and trusting it from then on. What I've done in
the past with my own security systems was:</SPAN></FONT></P></DIV>
<P class=MsoNormal style="MARGIN-LEFT: 1in; TEXT-INDENT: -0.25in"><FONT
face=Symbol size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Symbol">·<FONT
face="Times New Roman" size=1><SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></FONT></SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Create a large
randomized string (20 chars min.) and use that value as a session key (I
call it a "ticket"),which gets stored in the database as being tied to a
particular user, and is then sent to the browser as a cookie along with
another cookie indicating the username.</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 1in; TEXT-INDENT: -0.25in"><FONT
face=Symbol size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Symbol">·<FONT
face="Times New Roman" size=1><SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></FONT></SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Each "ticket" has an
expiration time of about 15 minutes (not an actual HTTP cookie expiration
time, but a time my code keeps track of). This time can be as long or short as
you want, depending on how paranoid you are.</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 1in; TEXT-INDENT: -0.25in"><FONT
face=Symbol size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Symbol">·<FONT
face="Times New Roman" size=1><SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></FONT></SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Each time the browser
accesses the web app, my server side code verifies that the cookie value
matches the current ticket that is stored in the database for that user (or
that is cached on the web server somehow -- it doesn't have to be a database,
see Apache::Session), and that the "ticket" hasn't expired.
</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 1in; TEXT-INDENT: -0.25in"><FONT
face=Symbol size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Symbol">·<FONT
face="Times New Roman" size=1><SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></FONT></SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">If the ticket has
expired, a new one is generated, stored in the db, and issued to the browser
without the user being any the wiser.</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 1in; TEXT-INDENT: -0.25in"><FONT
face=Symbol size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Symbol">·<FONT
face="Times New Roman" size=1><SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></FONT></SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">If an invalid ticket
is passed in, all valid sessions for that user are deleted, and the user is
asked to log in again.</SPAN></FONT></P>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">The end
result is that it becomes very difficult for someone to hijack a user's
session because they must be able to send in the usercode cookie and the
ticket cookie, which is very hard to guess. Even if they manage to do
that, they'll only get 15 minutes (or whatever I've set the expiry to be)
before they blow up the session and force a login, since either their browser
or the legitimate user's browser will send an invalid ticket once a new one
gets issued and the system will kick them both out.</SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">This has
worked very well for me in the past, and when coupled with a method
for IP address matching, it becomes even more
secure.</SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Essentially, if you
need more security than this, I'd say it's time to add SSL into the
mix.</SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">hope
this helps!</SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">jpt</SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue
size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial"></SPAN></FONT> </P></DIV>
<DIV>
<P class=MsoNormal
style="MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: 0in"><FONT
face=Tahoma size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> -----Original
Message-----<BR><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Phillip
Tyre [mailto:phillip.tyre@fcul.com]<BR><B><SPAN
style="FONT-WEIGHT: bold">Sent:</SPAN></B> Friday, May 16, 2003 2:16
PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B>
tallahassee-pm@mail.pm.org<BR><B><SPAN
style="FONT-WEIGHT: bold">Subject:</SPAN></B> [Tallahassee-pm] PHP
authentication</SPAN></FONT></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 3pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3pt; BORDER-LEFT: blue 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
color=navy size=3><SPAN style="FONT-SIZE: 12pt; COLOR: navy">Has anyone had
any experience with a custom perl, or PHP based authentication framework
using mysql as the back end? I've done some looking, but all the ones I've
seen tend to make the same basic assumptions. Once you authenticate the
user, and set a cookie, then you can trust all the cookies that are set for
that user (admin status, username, etc).</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=navy
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I'm
really looking for something more secure, where the actual session table in
the database would hold the permissions, and based on a matching session,
the table would be queried to retrieve the permissions.</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=navy
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Am I
way off base on this?</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=navy
size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Phillip
Tyre</SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman"
size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
<P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=navy
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">P.S.
This message brought to you because of the heavy silence this list has
experienced since the last time I
posted.</SPAN></FONT></P></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>