Re: the "correct" way to login.
| От | Andrew Hammond |
|---|---|
| Тема | Re: the "correct" way to login. |
| Дата | |
| Msg-id | 20010329184117.A12756@waugh.econ.queensu.ca обсуждение исходный текст |
| Ответ на | Re: the "correct" way to login. ("Jon Tai" <jon@tgpsolutions.com>) |
| Список | pgsql-php |
On Sat, Mar 17, 2001 at 01:58:15AM -0800, Jon Tai wrote: > HTTP auth is bad for several reasons. > > 1) The user/pass is submitted upon each request to the page. As it is with the cookie solution you provide below. Assuming you have one, what's your point? > 2) There is no way to control how long a session lasts (auto-logout after a > certain time) That is incorrect. Not only is this possible but it's relatively trivial. I know because I've done it. > 3) There is no way to end the session explicitly (logout button) IBID. And a much more severe problem is present with your form based login. You may be shocked to hear this, but some web browsers have a history feature which allows evil bad people to discover userid/password combinations in URL's accessed by GET forms. So of course you have to POST the form instead. The variables from POSTed forms are typically cached so you'd better not forget to expire the content. So you're good to go, except for that damned cookie file. While you can easily set a expiry date on a cookie, that doesn't necessarily purge it from the cookie file. In fact, some browsers only vacuum their cookie jar on startup / shutdown. And it doesn't take a whole lot of clue to dissect a cookie file. > 4) There is built-in session support in PHP4. Use it. =) There is built-in authorization support in the HTTP standard. Use it. Try reading "HTTP 1.1" RFC 2068 sections 10.4.2, 11 and 14.8. So, I say again: the correct way to solve this problem is to use HTTP authentication. Standards exist for a reason.
В списке pgsql-php по дате отправления: