FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitizing user input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitizing user input [message #169897 is a reply to message #169893] Wed, 29 September 2010 16:21 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 9/29/2010 9:47 AM, Web Dreamer wrote:
> Jerry Stuckle a écrit ce mercredi 29 septembre 2010 12:57 dans
> <i7v63r$7hh$1(at)news(dot)eternal-september(dot)org> :
>
>> On 9/29/2010 4:01 AM, Web Dreamer wrote:
>>> We are talking about "web applications", not "web sites".
>>> Small companies can not afford more servers than employees to host web
>>> apps (not web sites) useful for their employees.
>>> See my other reply in this thread.
>>>
>>
>> That is true. And even small companies want their site to provide one
>> consistent interface. What you have is a bunch of different
>> applications thrown together with no consistency between them.
>
> Depends, some can be consistent, but will "require" different logins and
> separate sessions.
>
> Some not.
>
> i.e. an application may be accessed ONLY by HR, and you do not want the HR
> to be automatically logged in this application (for security reasons) if
> he/she's logged in another application : you separate session handling (but
> can be linked to same user database)
> handling sessions separately does not mean you have to separate everything.
> This makes sure you are not logged in an application automatically after
> having logged in another, if you want separate sessions for security
> reasons.
>
> Explain why you would have inconsistency?
>

You have inconsistency because a person has to use multiple logins to
the same site to access different information. It means users not only
have to keep track of multiple userids/passwords for the same site, but
which userid/password accesses which information.

If you have completely separate applications, it is much better to have
them on separate sites - additionally, system software can further limit
access (i.e. only from certain ip addresses).

> Choosing consistency depends on the target and usage of the application, and
> can require to be totally separated concerning session handling even with
> consistency. I was only mentioning session handling.
>

Which affects consistency.

>> No
>> business which knows anything about the internet would want such on
>> their site. And only a code hacker would build such a site.
>
> No,
>
> Another example different from the one above:
>
> A shopkeeper can have two companies:
> A shoe shop
> A flower shop
> two different entities.
> They share one same server (same boss, different legal entities, and
> employees).
> You SURELY do not want to mix anything together! But the owner of the shops
> can afford only one server (2 or 3 employees in each shop), and you
> configure vhosts on the server.
>

No, and I would have two separate sites - one for each company. No
special session handling required, because each site can only access its
own cookies - and therefore only its own session information.

> Are you really sure you want top mix this?
> I seriously doubt it.
>
> Do you know any small business who would want to have mixed employee
> logins/accountability with another small business?
> Honestly... no...
> But sometimes they share a same "physical" server (same owner for the 2
> shops)
>

Nope, which is why they would have different sites. It makes no
difference whether they are on the same server or not - cookies are
domain specific, not server specific. One domain cannot access cookies
from another domain - it makes absolutely no difference whether they are
on the same server or not.

>>> Once you choose a session.name, you keep the same for the whole web app
>>> of course (otherwise everything would brake).
>>> What I mean is that for a "new app" you need a "new session.name" and you
>>> will keep this same session.name for the whole application of course.
>>>
>>> If you do not think of choosing a session.name for an application when
>>> you create it, and that you are asked to install this application on a
>>> server which already runs other applications (not sites), you risk
>>> clashes if they all use the same session.name.
>>>
>>
>> And you still run that same risk because some other application may have
>> chosen the same name. If you must separate your information, you should
>> use some prefix for your session array keys.
>
> There is much less risk, but indeed you are right about adding also a
> prefix.
>
> And again, separating sessions does not necessarily mean separating
> information.
>

Yes, it does - because scripts using one session cookie will not be able
to access data from the other session cookie.

> Sometimes you want things totally separated.
> Sometimes only "sessions" to be separated.
>
> And it's the one who pays you who decides.
>

So, you use different domains and different hosts. No problem at all,
and separation of session information is guaranteed.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: how to write a wsdl for php webservice?
Next Topic: ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 10:31:10 GMT 2024

Total time taken to generate the page: 0.05487 seconds