[nycphp-talk] secure login/logon
ramons at gmx.net
Mon Aug 6 08:06:19 EDT 2007
> I just need pointing in the right direction. Does anybody know where I
> should be looking for in information on secure login/logon (using PHP 5
When you say "secure login", do you mean changing over to https? Do you
want to use a database?
Typically, you would keep track of user's logins in a session, but that
means using a cookie. One way that I thought of without using a database
and cookies is checking on page access against the password file of
Apache, which on top forces a user name / password entry on the first
access. There may be a way to get the valid user state from Apache
through $_SERVER, but I don't know. In any case, you would need to reset
the logged in state for a user as soon as they leave the page (means as
soon as your php/html is finsihed), same as entering the secure mall
area and leaving it.
That is far away from ideal as I can think instantly of a whole bunch of
scenarios where this falls apart, but it would be as safe or unsafe as
electronic access control in a mall building. In that case, as soon as
you leave the secured area and want to enter again, you have to use the
credentials again. A finished page is to be considered leaving the
secured area. Otherwise it will be like propping the door open. In
regards to the web app, if cou do not amndate reauthentication on each
page load one can login once and then leave the web browser open for
everyone else to use. Using a timer comes to mind that after finishing
redirects to a unsecure page or at least requires reauthentication (this
is like the security guard who asks for your credentials and in case
you don't have them kicks you out), but I have no idea how timers behave
in connection to any links or forms on the page.
Hmmm, no real answer, but maybe I just put enough crazy ideas on the
table that allow you to steer into the right direction. Is this for some
demo? Would be kewl if you get one of these cheap keyboard wedges that
translate magcard swipes into typed characters. Then you can mimic a
real access control system with card swipe plus PIN.
If you need any further details on the "real" access control part let me
know, I worked in the industry for almost seven years.
More information about the talk