WebApp Sec mailing list archives

Re: Correct Session Authentication

From: Siim Põder <siim.poder_1398 () eesti ee>
Date: Sat, 29 Jul 2006 19:59:57 +0300

Yo!

On 29.07.2006 16:14, xbennx () hotmail co uk wrote:

When a user logs on, the username and password are sent via SSL and
the md5 hash is then checked against a hash stored in database. If
the credentials are found in the database, the users id is return and
stored in a session. If the credentials are not found this session
value is 0. Every page that a user needs to be authenticated to see
checks to see that the user id stored in the session is greater than
0, if not the user is classed as not authorised as 0 is not a valid
user id.

Do you mean that when the credentials are not found, the *user id**stored in session* is set 0?

Is this method secure or can it be easily bypassed?

The general method is fine, but there are hurdles that have to bewatched out for in the implementation.

Another thing I was wondering is where are sessions values actually
stored? I've read that they're stored in cookies but I always thought
there was a seperate function in php to create cookies?

As far as I know it should be configurable and could be in a temporaryfile, memory or a database.

Sorry this is so long, any help will be much appreciated.


Size doesn't matter. It's what you write and how you do it.

--
Siim Põder

The argument goes something like this: `I refuse to prove that I exist,'
says God, `for proof denies faith, and without faith I am nothing.
`But,' says Man, `The Babel fish is a dead giveaway, isn't it? It could
not have evolved by chance. It proves you exist, and so therefore, by
your own arguments, you don't. QED.'
`Oh dear,' says God, `I hadn't thought of  that,' and promptly vanished
in a puff of logic.
`Oh, that was easy,' says Man, and for an encore goes on to prove that
black is white and gets himself killed on the next zebra crossing.
        -- Douglas Adams

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing, 
Advanced Automated Capabilities for Penetration Testers, PCI Compliance 
Reporting, Token Analysis, Authentication testing, Automated JavaScript 
execution and much more. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------

Current thread:

Correct Session Authentication xbennx (Jul 29)
- Re: Correct Session Authentication Siim Põder (Jul 29)
- Re: Correct Session Authentication Balazs Attila-Mihaly (Cd-MaN) (Jul 29)
  - Re: Correct Session Authentication Dean H. Saxe (Jul 30)
- Re: Correct Session Authentication Santiago Rocandio (Jul 29)