httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Taylor" <ch...@x-bb.org>
Subject Re: [users@httpd] Identifying a session
Date Sat, 28 Dec 2002 16:30:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the past, I normally use a Database with all my user details, and
store a hash of the password (ie, something non reversible) and the
user id in the cookie. That effectively means you can auth them on
every page (check that the server-generated hash matches the cookie's
one) without any trouble, and is sufficiently quick to execute.

It also gives you a lot more options that using REMOTE_USER only.
However, I generally design semi-secure sites (basic forums, add-on
login functions etc). Of course, you can SSL on top of all this to
add a bit of *real* security.

This is PHP btw, but I imagine this can be extended to Perl with a
bit of experience. The golden rule is probably to minimize the amount
in each cookie, then it's hard to work out how your system functions
from just seeing the cookie :) The less in it, the quicker it's
transferred each way as well...

Just my 2p,

Chris Taylor - chris@x-bb.org - The guy with the PS2 WebServer -
http://www.x-bb.org/chris.asc

- ----- Original Message ----- 
From: "Lukas Ruf" <ruf@rawip.org>
To: <users@httpd.apache.org>
Sent: Saturday, December 28, 2002 3:57 PM
Subject: Re: [users@httpd] Identifying a session


> 
> > Rich Bowen <rbowen@rcbowen.com> [2002-12-28 16:53]:
> >
> > 
> > Yes, if REMOTE_USER is set, you can be confident that the user
> > correctly made it through the authentication phase.
> > 
> so, I am save with https and REMOTE_USER ,-)  Thanks!
> 
> > > Is there somewhere any good explanation how to program with
> > > cookies? 
> > 
> > A cookie is just a means of setting a variable in a persistent
> > manner. You send a Set-Cookie header, and you receive it back
> > again the next time that the client visits. You use them as you
> > would any other configuration variable. Most CGI libraries, for
> > various languages, have some means of setting and reading cookies
> > in a simplified manner. What language are you using?
> > 
> C and perl 
> 
> Thanks for your explanation.  This Set-Cookie header makes part of
> the web-page header?
> 
> I would like to know how things work that's why I asked
> for a good explanation/documentation.  Is there something like an
> rfc or a document on w3c.org?
> 
> wbr,
> Lukas
> -- 
> Lukas Ruf
> http://www.lpr.ch
> Wanna know anything about raw ip? 
> Join rawip@rawip.org on http://www.rawip.org
> 
> --------------------------------------------------------------------
> - The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPg3RpSqf8lmE2RZkEQKekgCfQVP4jYZ5P94jKN/WJe3U6TjKPjIAoPWC
dI8KqlB7rH9XKCX/mfkAw5Yk
=hYdl
-----END PGP SIGNATURE-----



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message