|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread |
Rating: 
|
Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#137
March 13th, 2003, 09:52 AM
|
||||
|
||||
|
I want to point out something I found out about cookie forging. On a site I developed, different users have different kind of access, and their user_id and access_id is stored in a session variables, and for those who want the site to remember their login, also in a cookie. We figured someone might try to edit their cookie and change the access rank to one higher than their legitimate one, and tested it, and it was just ignored. Also, if the browser was closed, and then re-opened to the page, the edited cookie would simply be deleted.
Has this happened to anyone else? I tested it on different machines and the same behavior re-occured.
|
|
#138
March 13th, 2003, 10:05 AM
|
||||
|
||||
|
I think the browser tries to protect the cookie and ignore any changes you make directly to the file. but that doesn't stop someone from connecting directly through telnet or with a socket in PHP and sending their own cookie data by creating their own headers. They will know the format needed from the cookie you've already supplied them.
The vulnerability is there, even if you can't directly edit the cookie file. I think that ability is system dependent. ---John Holmes...
|
|
#139
April 14th, 2003, 06:54 PM
|
||||
|
||||
|
I found this as a little extra for CMS security
PHP Code:
|
|
#140
April 14th, 2003, 07:02 PM
|
||||
|
||||
|
Wow, you're right. I put that line in my code and now I can't hack into my program at all. It's amazing...
 Anyhow... Thanks for the tip, but you may want to describe what it does and how someone should use it. That's the whole purpose of this thread. ---John Holmes...
|
|
#141
April 14th, 2003, 07:37 PM
|
||||
|
||||
|
http://www.etronicscomputers.com/do...orbeginners.htm
Is this a secure way for using sessions? This is an easy example for me to understand, but I wont use it if it's not a secure one. It looks secure though. Check it out. Thanks!
|
|
#143
April 19th, 2003, 12:01 PM
|
||||
|
||||
|
HELP!
I'm extremely confused now. I'm almost finished creating my Content system and the one of the things I need to finish is the login/validating part. This example below, is it for logging in or validating after logging in on every page? It also seems that everyone has a different example and a different opinion and I'm trying to make my CMS as secure as possible but with all these opinions, different examples, and some that don't work, is there one example we can all agree on, or is any good examples you can recommend? About the below example, I tried it, didn’t work, still don’t know if its for logging in or validating after logging in. Someone please help me? Thank you.
Quote:
|
|
#144
April 19th, 2003, 02:45 PM
|
||||
|
||||
|
If you have questions, please start a new thread. This thread is for security notes, a place to post remarks related to PHP security. This isn't the best place to ask new questions. The only people reading this thread are (hopefully) newbies here and those of us that have contributed and get the notice through email that someone posted here.
Anyhow, that code you posted here is not a good method to use at all. It's setting the user's password in a cookie, which is a bad idea and the query is messed up (repeated $user check). There are better methods and it's been discussed around here a lot. Either search or start a new thread with your questions. ---John Holmes...
|
|
#145
May 19th, 2003, 07:32 AM
|
|||
|
|||
|
Quote:
Personally i prefer to check the $page for punctuation and simply deny it and return an error page if any exsists. It means a bit extra thought into how directory structures are going to be layed out. Alternatively you might simply check for a "../" or "://".
|
|
#146
May 20th, 2003, 04:12 AM
|
||||
|
||||
|
I like to predefine all my pages that will be accessed. However, I don't just load the page names into the array: I load key=>value pairs into the array. I pass the KEY in the url, so the user never knows what file they're getting.
I know which pages will be permissible, and which will not. I load these accepted pages into an array, and perform a check on them. If the page exists in the array, I include it. Otherwise, I don't. Pretty common method nowadays. Two fold advantage: Secure, and shadowed, meaning the user doesn't really know what they're looking at. All they see is "index.php?code=00". It's not very extensible (well, it could be with some tricks), but it's just my preferred method.
|
|
#147
May 25th, 2003, 05:20 PM
|
|||
|
|||
|
Keiichi
Morisato's method is my choice for this .inc mess, PHP Code:
But I only accept letters a-z in $page; everything else gets ripped away. About cookies/username/password, I use two cookies. One contains data for timeout, (name=session_time, value=time_of_creation, updated every request), one contains no information (name and value are generated randomly at login, this is only to annoy hackers) All I do is that I compare that current_time - session_time < 10minutes and randomly_generated_cookie_name value = randomly_generated_cookie_value, if all this adds up, then I trust my session and I can check user_level, used_id etc from session. example randomly_generated_cookie_name = 2434b2cc4c148f68de4ecbaf549710e7 These ofcourse are addition to php's own session id cookie. If you wan't to make it a bit harder to hack you can change the values to random number cookie every request. Any thoughts? -9902468
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
