<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4923.2500" name=GENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
        FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
        FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
        FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
        COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
        COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
        COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
        COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
        COLOR: windowtext; FONT-FAMILY: Arial
}
SPAN.EmailStyle18 {
        COLOR: navy; FONT-FAMILY: Arial
}
DIV.Section1 {
        page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>Yes,
the silence has been unfortunate. I've been up to my ears in work these
last few weeks.</FONT></SPAN></DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>In my
own previous work, I have been able to go a little further than simply setting a
cookie in the browser and trusting it from then on. What I've done in the
past with my own security systems was:</FONT></SPAN></DIV>
<UL>
<LI><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2>Create a large randomized string (20 chars min.) and use that value as
a session key (I call it a "ticket"),which gets stored in the
database as being tied to a particular user, and is then sent to the
browser as a cookie along with another cookie indicating the
username.</FONT></SPAN></LI>
<LI><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>Each
"ticket" has an expiration time of about 15 minutes (not an actual HTTP cookie
expiration time, but a time my code keeps track of). This time can be as long
or short as you want, depending on how paranoid you are.</FONT></SPAN></LI>
<LI><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>Each
time the browser accesses the web app, my server side code verifies that the
cookie value matches the current ticket that is stored in the database for
that user (or that is cached on the web server somehow -- it doesn't have to
be a database, see Apache::Session), and that the "ticket" hasn't
expired. </FONT></SPAN></LI>
<LI><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>If
the ticket has expired, a new one is generated, stored in the db, and issued
to the browser without the user being any the wiser.</FONT></SPAN></LI>
<LI><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>If an
invalid ticket is passed in, all valid sessions for that user are deleted, and
the user is asked to log in again.</FONT></SPAN></LI></UL>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>The
end result is that it becomes very difficult for someone to hijack a user's
session because they must be able to send in the usercode cookie and the
ticket cookie, which is very hard to guess. Even if they manage to do
that, they'll only get 15 minutes (or whatever I've set the expiry to be) before
they blow up the session and force a login, since either their browser or the
legitimate user's browser will send an invalid ticket once a new one gets issued
and the system will kick them both out.</FONT></SPAN></DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>This
has worked very well for me in the past, and when coupled with a method
for IP address matching, it becomes even more secure.</FONT></SPAN></DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2>Essentially, if you need more security than this, I'd say it's time to
add SSL into the mix.</FONT></SPAN></DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff size=2>hope
this helps!</FONT></SPAN></DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=578121718-16052003><FONT face=Arial color=#0000ff
size=2>jpt</FONT></SPAN></DIV>
<DIV><SPAN class=578121718-16052003></SPAN><FONT face=Tahoma><FONT size=2><SPAN
class=578121718-16052003><FONT face=Arial
color=#0000ff> </FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT face=Tahoma><FONT size=2><SPAN
class=578121718-16052003> </SPAN>-----Original Message-----<BR><B>From:</B>
Phillip Tyre [mailto:phillip.tyre@fcul.com]<BR><B>Sent:</B> Friday, May 16, 2003
2:16 PM<BR><B>To:</B> tallahassee-pm@mail.pm.org<BR><B>Subject:</B>
[Tallahassee-pm] PHP authentication<BR><BR></DIV></FONT>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"></FONT>
<DIV class=Section1>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy">Has anyone had any experience with a
custom perl, or PHP based authentication framework using mysql as the back
end? I've done some looking, but all the ones I've seen tend to make the same
basic assumptions. Once you authenticate the user, and set a cookie, then you
can trust all the cookies that are set for that user (admin status, username,
etc).</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I'm really looking
for something more secure, where the actual session table in the database
would hold the permissions, and based on a matching session, the table would
be queried to retrieve the permissions.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Am I way off base on
this?</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Phillip
Tyre</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">P.S. This message
brought to you because of the heavy silence this list has experienced since
the last time I posted.</SPAN></FONT></P></DIV></BLOCKQUOTE></BODY></HTML>