[nycphp-talk] Question about encryption
Sexton, David
David.SextonJr at ubs.com
Tue Jul 8 15:38:28 EDT 2003
If you really need to make your auth process virtually hack-proof, you
should use SSL. I've never used PHP's OpenSSL functions, but you might want
to check into it if that type of security is warranted.
The username/password scheme that has been chosen is just adding to the
probability that unauthorized access will occur, but maybe you want to
create a system where users can modify their own passwords, or use another
service to authenticate against a more secure user database. For example,
permissioning a group of users to access an FTP directory, then trying the
connection using PHP's FTP functions against the FTP service. On NT, this is
nice because you don't have to maintain another user database, and users can
change their domain passwords whenever they want (and it would filter down
to your app automatically).
As for passing user id's around, why not use sessions? They are easier to
work with and provide a little more security in that the user's credentials
aren't floating back and forth (although it doesn't address session
hijacking).
Hope it gives you some ideas.
-----Original Message-----
From: Joshua Glenn [mailto:wheelie at acedsl.com]
Sent: Tuesday, July 08, 2003 11:52 AM
To: NYPHP Talk
Subject: [nycphp-talk] Question about encryption
Hey All,
I'm working on a site and the client has made the username and password for
members of the site a combination of their ID and lastname. I know, it's
More information about the talk
mailing list