NYCPHP Meetup

[Ben Sgro]

Hello,

Just to clarify, when I say "session" I don't mean "session" data. Just 
a previous "session" of work
performed by the user. I want to save their settings.

This is a tool for company use only, specifically debugging/QA and is CL 
driven.

Now to answer your other questions:

Nick Galbreath wrote:
>
>  
> Hi, I'm the speaker from last week's NYPHP talk on cryptography.
>
> 1) SLIDES
>
> Sorry for delay.  I will be posting my slides shortly!  I've been 
> reworking them and getting source code online.  I will post here when 
> they are up.
>
>  
>
> 2) ENCRYPTED SESSIONS
>
>  
> Most importantly, before any technical questions is "what threats are 
> you trying model"?  and what type of data are you trying to protect? 
>  (I ask since certain data, i.e. such as credit cards, have certain 
> standards).  For example:
>
>  
> 1) hacker "breaks in" and scans session data for ???
Username/Logins - This would be the most valuable data in the xml file.
> 2) hacker scans network traffic from database to php-app to get ???
It doesn't provide a web interface. And the XML wouldn't be served by 
HTTP. This wouldn't be in web root.
> 3) hacker hijacks session and takes over another account
I wouldn't think so. Unless they hijack a tty. But honestly, if they 
have root on the box we have other problems.
>
>  
> etc etc...
>
>  
> Then there are some product questions:
>  
> 1) Do you have "user database" or are these just anonymous sessions?
Work sessions.
> 2) Is _all_ data in the session sensitive?   Do you want an encrypted 
> XML file or an XML file with encrypted data?  And why?
No. Just the username/password.
> 3) How much data per user per session is expected?
Not that much. 20k?
> 4) What is anticipated volume/growth of the website?
CL App.
> 5) Is this data, _just_ going to live in session?  It's never going 
> into a database or other file?  If not how do we protect those items? 
Nope.
> 6) Do you need password recovery?  Or what if the user forgets the 
> password the data is gone?
They'd have to create a new "session".
> 7) How are you currently storing session data (are sessions sticky to 
> a machine? or are sessions on a separate box)
Local.
>
>  
> From this a solution can be crafted.  Maybe there is an simple out of 
> the box solution ( e.g.an <http://e.g.an>  encrypted disk volume might 
> be all you need!). If you need more help, please contact me directly
>
> thanks,
>
> -- Nick Galbreath
>    nickg at modp.com <mailto:nickg at modp.com>
>
>
> On 12/10/07, * Gary Mort* <bz-gmort at beezifies.com 
> <mailto:bz-gmort at beezifies.com>> wrote:
>
>     Speaking of encryption/decryption where the notes from the last
>     presentation posted up somewhere?
>     _______________________________________________
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php