Re: the "correct" way to login.
От | Jon Tai |
---|---|
Тема | Re: the "correct" way to login. |
Дата | |
Msg-id | 006e01c0aec8$c90ae300$6501a8c0@genesis обсуждение исходный текст |
Ответ на | Re: Re: Re: Secure pages ("Martin A. Marques" <martin@math.unl.edu.ar>) |
Ответы |
Re: the "correct" way to login.
(Andrew Hammond <drew@waugh.econ.queensu.ca>)
|
Список | pgsql-php |
HTTP auth is bad for several reasons. 1) The user/pass is submitted upon each request to the page. 2) There is no way to control how long a session lasts (auto-logout after a certain time) 3) There is no way to end the session explicitly (logout button) 4) There is built-in session support in PHP4. Use it. =) When I build applications that require a login, I have each file include a "common.inc" file that contains shared (global) variables and functions. It also forces a login... <?php // // common.inc // // set global variables ... // initialize session (8hr auto-expire) session_set_cookie_params(28800); session_start(); session_register("ses_user"); session_register("ses_pass"); // $username and $password are passed via POST from a login form if (isset($username)) $ses_user = $username; if (isset($password)) $ses_pass = $password; // allow for logout if $logout is set via GET or POST if (isset($logout)) { unset($ses_user); unset($ses_pass); session_destroy(); session_unset(); } // if unauthorized, allow for login if ( ($ses_user) && ($ses_pass) ) { // check user/pass against database, .htaccess file, etc. ... // if user/pass is valid, define("USER_AUTHORIZED", 1); } if (!defined("USER_AUTHORIZED")) { // redirect or print login form via include(); ... } ?> ----- Original Message ----- From: "Dan Wilson" <phpPgAdmin@acucore.com> To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: Thursday, March 15, 2001 10:31 AM Subject: Re: [PHP] the "correct" way to login. I've had problems with this solution. I had to switch phpPgAdmin from HTTP-Auth to a standard HTML form because of problems running it on a non-apache server. Just an FYI. -Dan : I use this solution too, in order to authenticate my users.... : : My users/password table is into a PostgreSQL database. : : Cassio. : ----- Original Message ----- : From: "Andrew Hammond" <drew@waugh.econ.queensu.ca> : To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> : Sent: Thursday, March 15, 2001 7:37 AM : Subject: [PHP] the "correct" way to login. : : : > On Wed, Mar 14, 2001 at 02:39:28AM +0100, Christian Marschalek wrote: : > > > Horrible idea!! Even with an encrypted password. Use PHP : > > > sessions, and save : > > > any info on the session (this is saved on a temp file on the : > > > server, and only : > > > the session handle is passed to the browser). : > : > The HTTP protocol provides userid/password based authentication. : > Using cookies or hidden variables in a form while a popular : > approach is not the correct way to do this. Furthermore, a lot : > of people out there surf through a junk filter which will : > probably not let your cookie through. Mine certainly won't. : > : > The solution is to use the HTTP auth stuff. You can do this : > either using apache's Require dirrective at the server layer or : > dirrectly in your scripts. : > : > To do it using apache, you need to edit your httpd.conf or : > appropriate configuration file and put in something like the : > following: : > : > <Dirrectory /foo> : > AuthType Digest : > AuthName "realm foo" : > AuthUserFile /web/users : > AuthGroupFile /web/groups : > Require group admin : > </Dirrectory> : > : > Or you could just put the stuff contained in the Dirrectory : > stanza into a .htaccess file in the dirrectory you want to : > restrict access too, however that is inefficient since the : > .htaccess file needs to be stat'd ever time a page is accessed. : > It also only allows dirrectory level granularity and it's a pain : > in the ass to make the 401 message meaningfull. But it's : > sufficient for many jobs and very fast. The apache approach also : > supports the digest method giving some transportation security, : > while the dirrect php approach does not. : > : > To do it in your script, dirrectly you need to pay attention : > to $PHP_AUTH_USER and $PHP_AUTH_PW. For example: : > : > if(!isset($PHP_AUTH_USER)) { : > Header("WWW-Authenticate: Basic realm=\"sis_access\""); : > Header("HTTP/1.0 401 Unauthorized"); : > include ( 'denied.html' ); // or you could redirrect : > exit; : > } : > : > Then test the password the same way. Passwords should (obviously) : > be stored in an encrypted format (MD5 is suitable, or you can just : > use good old DES crypt). This will provide you with localized : > security. For transport level security you can either use the : > digest method for authentication, or if you're really serious, an : > SSL connection. Of course if you're _really_ serious you're going : > to be using x509 cert's and public key crypto, not some rinky dink : > password based system. : > : > > > System Administration: It's a dirty job, : > : > Then you're doing it wrong. : > : > ---------------------------(end of broadcast)--------------------------- : > TIP 4: Don't 'kill -9' the postmaster : > : : : ---------------------------(end of broadcast)--------------------------- : TIP 5: Have you checked our extensive FAQ? : : http://www.postgresql.org/users-lounge/docs/faq.html ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://www.postgresql.org/search.mpl
В списке pgsql-php по дате отправления: