logo       
<prev   next>

Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1: msg#00057

web.wiki.phpwiki.talk

Subject: Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1

Joby Walker schrieb:
This looks good, but as I read this you are storing the username&password (in human readable form) in the contents of a cookie on the end-user's machine. This seems quite bad to me. SOP, for web sites is to store a cookie with a unique id (UID). The cookie id plus some unique features of the client (IP, browser, time, etc) are then checked by the server against it's session database and if verified the user is logged in (very similar to Kerberos). But by storing the username & password in the cookie, it someone reads the cookie they will have complete access to that account.

A quick review of the cookies currently in my broswer shows:

1) UID's are primarily used -- especially with commercial sites.
2) Passwords are not stored in cookies.
3) Userid's, if used instead of a UID, are encrypted.
4) Very little data is in human readable form -- and none of it is critical info.

If I am mistaken about what you are storing in the cookie ... then ignore. But I am quite worried about this development.

Well, I'm not so concerned about security with this password issue, since it's only a wiki. nothing serious.
If I store sensitive data in cookies I do a symeteric encryption with a secret key at the host, generated at install time.

but it's true that certain pref data shouldn't be stored in cookies: passwd (for security), email (. just the basic prefs for username and layout.
otherwise the user has to create a homepage.
okay?

but then we'll have to fix the login procedure also.

On a better note the classes look good. Having different classes with common methods will be very helpful for the future of phpwiki.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Remote-Control Boats & Cars - Great Xmas Gifts.....kenyon: 00057, Morris Bridges
Next by Date:  Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1: 00057, Carsten Klapp
Previous by Thread:  Remote-Control Boats & Cars - Great Xmas Gifts.....kenyoni: 00057, Morris Bridges
Next by Thread:  Re: Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1: 00057, Bishop
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise