WebApp Sec mailing list archives
Re: Correct Session Authentication
From: Siim Põder <siim.poder_1398 () eesti ee>
Date: Sat, 29 Jul 2006 19:59:57 +0300
Yo! On 29.07.2006 16:14, xbennx () hotmail co uk wrote:
When a user logs on, the username and password are sent via SSL and the md5 hash is then checked against a hash stored in database. If the credentials are found in the database, the users id is return and stored in a session. If the credentials are not found this session value is 0. Every page that a user needs to be authenticated to see checks to see that the user id stored in the session is greater than 0, if not the user is classed as not authorised as 0 is not a valid user id.
Do you mean that when the credentials are not found, the *user id* *stored in session* is set 0?
Is this method secure or can it be easily bypassed?
The general method is fine, but there are hurdles that have to be watched out for in the implementation.
Another thing I was wondering is where are sessions values actually stored? I've read that they're stored in cookies but I always thought there was a seperate function in php to create cookies?
As far as I know it should be configurable and could be in a temporary file, memory or a database.
Sorry this is so long, any help will be much appreciated.
Size doesn't matter. It's what you write and how you do it. -- Siim Põder The argument goes something like this: `I refuse to prove that I exist,' says God, `for proof denies faith, and without faith I am nothing. `But,' says Man, `The Babel fish is a dead giveaway, isn't it? It could not have evolved by chance. It proves you exist, and so therefore, by your own arguments, you don't. QED.' `Oh dear,' says God, `I hadn't thought of that,' and promptly vanished in a puff of logic. `Oh, that was easy,' says Man, and for an encore goes on to prove that black is white and gets himself killed on the next zebra crossing. -- Douglas Adams
------------------------------------------------------------------------- Sponsored by: Watchfire AppScan 6.5 is now available! New features for Web Services Testing, Advanced Automated Capabilities for Penetration Testers, PCI Compliance Reporting, Token Analysis, Authentication testing, Automated JavaScript execution and much more. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc -------------------------------------------------------------------------
Current thread:
- Correct Session Authentication xbennx (Jul 29)
- Re: Correct Session Authentication Siim Põder (Jul 29)
- Re: Correct Session Authentication Balazs Attila-Mihaly (Cd-MaN) (Jul 29)
- Re: Correct Session Authentication Dean H. Saxe (Jul 30)
- Re: Correct Session Authentication Santiago Rocandio (Jul 29)