On Fri, 24 Oct 2003 18:20:02 +0200 Dario Lopez-Kästen <dario@ita.chalmers.se> wrote:
Jens Vagelpohl wrote:
Why is everybody so obsessed with AUTHENTICATED_USER? This variable is > not suitable for anything deserving the name "security". It is NOT > SAFE to assume that it will contain anything useful.
Right, when can we consider REQUEST to be fairly safe? I.e. I know that it cab be manuoulated by any kind of script during the lifetime of a request, and aslo be populated from the URL. I consider manipulation from scripts acceptable behaviour, from the URL not.
Well, there are two answers. First, this is what sessions are really designed for. I am not a big fan of sessions, because they lead to code that is harder to debug, and because the stateless nature of HTTP implies the necessity for implicit timeouts. Sessions do, however, solve this problem, and also can lead to substantial bandwidth reduction. Second, if you have a set of variables that are being handled in the request, you can take care of security yourself. Concatenate the string representations of the variables, and a site or folder specific secret string. Calculate SHA of this concatenated string. Put the variables in the REQUEST per normal, but add the SHA, as well. When the REQUEST comes back, repeat the calculation, being sure to concatenate the strings and secret in the same order and compare the newly calculated SHA with the SHA in the REQUEST. If they differ, either one of the REQUEST variables or the SHA itself has been tampered with. Reject. Jim Penny