Cash reward for a secure PHP page!
Alan Cox
alan at redhat.com
Sun Nov 7 02:38:26 UTC 2004
On Sat, Nov 06, 2004 at 06:02:40PM -0600, Rodolfo J. Paiz wrote:
> few users, each of which has a username and password. However, they do
> not want to rely on .htaccess files only; they want each page to check
> session validity so they can have time-outs and stuff.
There are a whole pile of session manager libraries for PHP floating around
and some of them don't suck 8)
> 1. The user's credentials should be stored in some reasonably-secure
> and reasonably-scalable fashion. I do not have the knowledge to
> determine whether an htaccess file will work well enough or whether
The linux.org.uk portaloo does the following
state = [array of things we need to remember] + timestamp
md5sum (state, secret)
cookie = md5result + state
that gives you rather hard to fake browser kept state very easily
Alan
More information about the test
mailing list