FAO: David Powers - Faulty Login Procedure?

Thanks David.

I actually rewrote a script for our site last night - can you tell me in
your opinion should DW's script be used over others? Are there security
issues I might not think about on my own that DW addresses?

Does DW use it's security to check the username/password combo against the
database on every page? Is this the best way?

Can session variables be spoofed? It is safe to use one as a method to know
a user is logged in, or IYO should it just be verified every time.

From what I've read here, it appears that session variables could be spoofed
if you have global_register turned on, but is there any other way?
http://mailman.npotechs.org/pipermail/techtalk/2005-April/004198.html

I'm going ot gues you're advise will be "don't worry about it, just use DW
and correct errors", but if my other script will work, it's much smaller and
I think will use less resources.

Thanks,

Jon

"David Powers" <david@example.com> wrote in message
news:e93srb$661$2@forums.macromedia.com...
> crash wrote:
>> You said in a post the other day the login procedure was flawed in DW MX
>> 2004 (I believe?). Can you give me a suggestion on where to go to a)
>> create my own login page c) fix this problem?
>
> It's easy to fix by hand. Details are in the first post in the following
> thread:
>
> http://friendsofed.infopop.net/2/OpenTopic?a=tpc&s=989094322&f=8033053165&m=324102421
>
> --
> David Powers
> Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
> Author, "Foundation PHP 5 for Flash" (friends of ED)
> http://foundationphp.com/

i just reused the dw login.

"crash" <crash@bcdcdigital.com> wrote in message
news:e95tr0$mfk$1@forums.macromedia.com...
> Thanks David.
>
> I actually rewrote a script for our site last night - can you tell me in
> your opinion should DW's script be used over others? Are there security
> issues I might not think about on my own that DW addresses?
>
> Does DW use it's security to check the username/password combo against the
> database on every page? Is this the best way?
>
> Can session variables be spoofed? It is safe to use one as a method to
> know a user is logged in, or IYO should it just be verified every time.
>
> From what I've read here, it appears that session variables could be
> spoofed if you have global_register turned on, but is there any other way?
> http://mailman.npotechs.org/pipermail/techtalk/2005-April/004198.html
>
> I'm going ot gues you're advise will be "don't worry about it, just use DW
> and correct errors", but if my other script will work, it's much smaller
> and I think will use less resources.
>
> Thanks,
>
> Jon
>
> "David Powers" <david@example.com> wrote in message
> news:e93srb$661$2@forums.macromedia.com...
>> crash wrote:
>>> You said in a post the other day the login procedure was flawed in DW MX
>>> 2004 (I believe?). Can you give me a suggestion on where to go to a)
>>> create my own login page c) fix this problem?
>>
>> It's easy to fix by hand. Details are in the first post in the following
>> thread:
>>
>> http://friendsofed.infopop.net/2/OpenTopic?a=tpc&s=989094322&f=8033053165&m=324102421
>>
>> --
>> David Powers
>> Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
>> Author, "Foundation PHP 5 for Flash" (friends of ED)
>> http://foundationphp.com/
>
>

crash wrote:
> Does DW use it's security to check the username/password combo against the
> database on every page? Is this the best way?

No, it uses a session variable once the user has logged in. Checking the
user/password combo on every page sounds like a waste of resources.

> Can session variables be spoofed? It is safe to use one as a method to know
> a user is logged in, or IYO should it just be verified every time.

They can be spoofed, but it's quite difficult to do so. The standard
recommendation is to regenerate the session variable after a change in
security level, but not otherwise.

http://www.php.net/manual/en/function.session-regenerate-id.php

> From what I've read here, it appears that session variables could be spoofed
> if you have global_register turned on, but is there any other way?

If you have register_globals turned on, you have thrown security out of
the window. The main danger, as I understand it, is if you pass the
session ID through the URL. That is easy to hijack. By default, passing
the ID through the URL is disabled.

--
David Powers
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "Foundation PHP 5 for Flash" (friends of ED)
http://foundationphp.com/

> crash wrote:
>> Does DW use it's security to check the username/password combo against
>> the database on every page? Is this the best way?
>
> No, it uses a session variable once the user has logged in. Checking the
> user/password combo on every page sounds like a waste of resources.

That's what I was thinking. I couldn't find the session variable for the
user class, which is why I thought it was re-checking. However, I found it
later - I had mistaken it for the password. When I realized it foolish to
keep password in, I was OK. :O)


>> Can session variables be spoofed? It is safe to use one as a method to
>> know a user is logged in, or IYO should it just be verified every time.
>
> They can be spoofed, but it's quite difficult to do so. The standard
> recommendation is to regenerate the session variable after a change in
> security level, but not otherwise.
>
> http://www.php.net/manual/en/function.session-regenerate-id.php
>
>> From what I've read here, it appears that session variables could be
>> spoofed if you have global_register turned on, but is there any other
>> way?
>
> If you have register_globals turned on, you have thrown security out of
> the window. The main danger, as I understand it, is if you pass the
> session ID through the URL. That is easy to hijack. By default, passing
> the ID through the URL is disabled.

Understood. Thanks for all your help, sir. I've got it setup and working
fine now. I went ahead and removed the script from the page, inserted my
cookie if they'd checked save, and I think I've got it all streamlined now.

Thanks again, this stuff is scary. Don't want to mess up on your front door
lock..