From: | Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz> |
---|---|
To: | pgsql-php(at)postgresql(dot)org |
Subject: | Re: securing PHP/Postgresql (was: MD5 in pg and php) |
Date: | 2004-05-01 12:07:26 |
Message-ID: | 1083413245.6439.43.camel@lamb.mcmillan.net.nz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-php |
On Thu, 2004-04-29 at 18:57 +0200, Joolz wrote:
>
> I have to think about it long and hard :-), the extra "layer" makes
> things more secure, I would only have to register username (for
> auditing purposes) plus the "role" in session variables, which could
> be md5()'d. Still, the extra layer is from a logical point of view
> redundant and thus errorprone.
>
> Still, it might be a good idea. If anyone cares to share their opinion
> on the matter (or discuss how you handled this), TIA!
For myself, I handle security roughly as follows:
Password is stored as a salted md5, which means that two users with the
same password have different on-disk records of it.
Logged in user gets a session cookie which is an md5 of random data plus
a session id. The session id is looked up, and the random data (which
is only known server-side) is validated. Of course the session id is
predictable, but the random data is not.
I use a general user-id to access the database, rather than database
users and permissions. I generally find that the database permissions
model is not a good fit to the permissions I want for my website.
Hope this is of interest,
Andrew McMillan.
-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267
-------------------------------------------------------------------------
From | Date | Subject | |
---|---|---|---|
Next Message | sundaravel | 2004-05-06 10:03:48 | Installing problem in PHP-5.0.0RC2 |
Previous Message | Joolz | 2004-04-29 16:57:23 | securing PHP/Postgresql (was: MD5 in pg and php) |