Lazor, Ed wrote: >Use sessions. Create a user_id and pass that as a session variable rather >than the user's actual login and password. > >-----Original Message----- >On my site, when a user logs in, their password is encrypted using md5() and >the username and encrypted password is then passed from page to page using >hidden form inputs (clicking on a link submits the form using POST). >Does anyone have any comments on this method e.g. security wise? I know I >could use sessions or cookies but is it relly necessary? >
This is good advice. There are many reasons why, but here's one off the top of my head: When you pass the encrypted password around, you can pretty much consider it in the public domain, right? Well, what happens when someone else takes that encrypted password (why bother decrypting it?) and presents it back to your site? That's right; they're in. This is called a presentation attack, and you'd be amazed at how many sites are vulnerable to this (I wrote an article a while back about how to break into MS Passport using this technique). How do sessions help against this? Well, they don't solve the problem entirely, of course, but the unique ID you pass around won't be the same unique ID *every* time that user visits the site. So, you at least have a good chance of making the window of time that an imposter has to work with very small. Security is all about making things really hard for potential attackers. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
