Re: Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1

Reini Urban wrote:
> Joby Walker schrieb:
>
> Well, I'm not so concerned about security with this password issue, 
> since it's only a wiki. nothing serious.

The wiki that I manage is quite critical and contains a lot of data we don't 
want to fall into hostile hands...

> If I store sensitive data in cookies I do a symeteric encryption with a
> secret key at the host, generated at install time.
> but it's true that certain pref data shouldn't be stored in cookies: 
> passwd (for security), email (. just the basic prefs for username and 
> layout.
> otherwise the user has to create a homepage.
> okay?

I still wouldn't do it this way.  I would:

Cookie:
Contents = a 64 character hex number [md5(random data1) . md5(random data2)]
SSL = configurable yes/no
Expire = configurable

Server Session Validation:
Cookie Content ID
Browser Used
IP#
Expiration Time

If the cookie points to a valid session then the user is logged into as the 
saved (as a part of the session) username and given the associated saved 
preferences.

This will allow for a more secure "auto-login" process -- if a cookie is 
compromised then it will contain no hard data (encrypted or not) with a fairly 
limited vulnerability window.  And once the session attached to that cookie 
contents has expired -- the data is completely useless.  And allows admins to 
dynamically set the expiration time of sessions (from never to very short times) 
 even after the cookie has been set on the user's computer.

> but then we'll have to fix the login procedure also.
>
> > On a better note the classes look good.  Having different classes with 
> > common methods will be very helpful for the future of phpwiki.

I absolutely agree.  My quibble is with an implimentation detail not the general 
architecture.  These classes will make things MUCH easier.

jbw


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/