From: | Cássio Alexandre Pereira de Castro <cassio(at)planetarium(dot)com(dot)br> |
---|---|
To: | "[PHP] PostgreSQL" <pgsql-php(at)postgresql(dot)org> |
Subject: | Re: the "correct" way to login. |
Date: | 2001-03-15 12:16:11 |
Message-ID: | 008301c0ad49$b9dd9ba0$4905a8c0@bh.embare.com.br |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-php |
I use this solution too, in order to authenticate my users....
My users/password table is into a PostgreSQL database.
Cassio.
----- Original Message -----
From: "Andrew Hammond" <drew(at)waugh(dot)econ(dot)queensu(dot)ca>
To: "[PHP] PostgreSQL" <pgsql-php(at)postgresql(dot)org>
Sent: Thursday, March 15, 2001 7:37 AM
Subject: [PHP] the "correct" way to login.
> On Wed, Mar 14, 2001 at 02:39:28AM +0100, Christian Marschalek wrote:
> > > Horrible idea!! Even with an encrypted password. Use PHP
> > > sessions, and save
> > > any info on the session (this is saved on a temp file on the
> > > server, and only
> > > the session handle is passed to the browser).
>
> The HTTP protocol provides userid/password based authentication.
> Using cookies or hidden variables in a form while a popular
> approach is not the correct way to do this. Furthermore, a lot
> of people out there surf through a junk filter which will
> probably not let your cookie through. Mine certainly won't.
>
> The solution is to use the HTTP auth stuff. You can do this
> either using apache's Require dirrective at the server layer or
> dirrectly in your scripts.
>
> To do it using apache, you need to edit your httpd.conf or
> appropriate configuration file and put in something like the
> following:
>
> <Dirrectory /foo>
> AuthType Digest
> AuthName "realm foo"
> AuthUserFile /web/users
> AuthGroupFile /web/groups
> Require group admin
> </Dirrectory>
>
> Or you could just put the stuff contained in the Dirrectory
> stanza into a .htaccess file in the dirrectory you want to
> restrict access too, however that is inefficient since the
> .htaccess file needs to be stat'd ever time a page is accessed.
> It also only allows dirrectory level granularity and it's a pain
> in the ass to make the 401 message meaningfull. But it's
> sufficient for many jobs and very fast. The apache approach also
> supports the digest method giving some transportation security,
> while the dirrect php approach does not.
>
> To do it in your script, dirrectly you need to pay attention
> to $PHP_AUTH_USER and $PHP_AUTH_PW. For example:
>
> if(!isset($PHP_AUTH_USER)) {
> Header("WWW-Authenticate: Basic realm=\"sis_access\"");
> Header("HTTP/1.0 401 Unauthorized");
> include ( 'denied.html' ); // or you could redirrect
> exit;
> }
>
> Then test the password the same way. Passwords should (obviously)
> be stored in an encrypted format (MD5 is suitable, or you can just
> use good old DES crypt). This will provide you with localized
> security. For transport level security you can either use the
> digest method for authentication, or if you're really serious, an
> SSL connection. Of course if you're _really_ serious you're going
> to be using x509 cert's and public key crypto, not some rinky dink
> password based system.
>
> > > System Administration: It's a dirty job,
>
> Then you're doing it wrong.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
From | Date | Subject | |
---|---|---|---|
Next Message | Dan Wilson | 2001-03-15 18:31:19 | Re: the "correct" way to login. |
Previous Message | Andrew Hammond | 2001-03-15 10:37:38 | the "correct" way to login. |