| Digest Authentication [message #179865] |
Fri, 14 December 2012 00:49  |
dhtmlkitchen
Messages: 4
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
Hi,
I am trying to implement a password protected area of a site. I have never done this before.
HTTP digest authentication seemed suitable for our low-level security requirements.
Here is our PHP 5.3.6 configuration:
http://thai-massage.com/phpinfo.php
Here is the script I am using, from PHP.net:
http://php.net/manual/en/features.http-auth.php#example-349
The script is running here:
http://thai-massage.com/dollar-school/PHP-PayPal-IPN-master/example/auth.ph p
The login credentials are hard coded for sake of example. Eventually I want to get the password from a MySQL database.
Results:
* Cancel: "Text to send if user hits Cancel button"
* Correct Login (guest/guest): Displays login prompt again
* Incorrect Login (a/s): Displays login prompt again
Expected results:
* Cancel: "Text to send if user hits Cancel button"
* Correct login (guest/guest): 'You are logged in as: guest"
* Incorrect login: "Wrong Credentials!"
Cancel is doing what I expect, but the login does not.
What am I doing wrong? How can I get the result I want?
|
|
|
|
| Re: Digest Authentication [message #179866 is a reply to message #179865] |
Fri, 14 December 2012 03:15  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/13/2012 7:49 PM, dhtmlkitchen(at)gmail(dot)com wrote:
> Hi,
>
> I am trying to implement a password protected area of a site. I have never done this before.
>
> HTTP digest authentication seemed suitable for our low-level security requirements.
>
> Here is our PHP 5.3.6 configuration:
> http://thai-massage.com/phpinfo.php
>
> Here is the script I am using, from PHP.net:
> http://php.net/manual/en/features.http-auth.php#example-349
>
> The script is running here:
> http://thai-massage.com/dollar-school/PHP-PayPal-IPN-master/example/auth.ph p
>
> The login credentials are hard coded for sake of example. Eventually I want to get the password from a MySQL database.
>
> Results:
> * Cancel: "Text to send if user hits Cancel button"
> * Correct Login (guest/guest): Displays login prompt again
> * Incorrect Login (a/s): Displays login prompt again
>
> Expected results:
> * Cancel: "Text to send if user hits Cancel button"
> * Correct login (guest/guest): 'You are logged in as: guest"
> * Incorrect login: "Wrong Credentials!"
>
> Cancel is doing what I expect, but the login does not.
>
> What am I doing wrong? How can I get the result I want?
>
>
Do you have your web server configuration set up correctly?
HTTP authentication is handled by the web server. PHP only gets control
after the user has passed the web server's authentication.
It looks like you never set your web server up to handle the
authentication, so it never passes - and the server just keeps resending
the request.
Now if the user presses cancel, the web server will fail the
authentication request and pass the request on to your scripts (usually
an "authentication failed" page.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Digest Authentication [message #179867 is a reply to message #179865] |
Fri, 14 December 2012 03:31 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/13/2012 7:49 PM, dhtmlkitchen(at)gmail(dot)com wrote:
> Hi,
>
> I am trying to implement a password protected area of a site. I have never done this before.
>
> HTTP digest authentication seemed suitable for our low-level security requirements.
>
> Here is our PHP 5.3.6 configuration:
> http://thai-massage.com/phpinfo.php
>
> Here is the script I am using, from PHP.net:
> http://php.net/manual/en/features.http-auth.php#example-349
>
> The script is running here:
> http://thai-massage.com/dollar-school/PHP-PayPal-IPN-master/example/auth.ph p
>
> The login credentials are hard coded for sake of example. Eventually I want to get the password from a MySQL database.
>
> Results:
> * Cancel: "Text to send if user hits Cancel button"
> * Correct Login (guest/guest): Displays login prompt again
> * Incorrect Login (a/s): Displays login prompt again
>
> Expected results:
> * Cancel: "Text to send if user hits Cancel button"
> * Correct login (guest/guest): 'You are logged in as: guest"
> * Incorrect login: "Wrong Credentials!"
>
> Cancel is doing what I expect, but the login does not.
>
> What am I doing wrong? How can I get the result I want?
>
>
Back up and cancel that last post. From the headers it looked like you
were also trying to handle this in your httpd.conf or .htaccess file,
but on closer inspection I was wrong.
I don't see anything obviously wrong with the code, but you didn't post
the code you were actually using - just a reference to some code you
copied and modified.
You need to do some debugging of your code. First of all, you should be
doing this on a development machine (not a live server!), preferably
local. I would suggest you dump the appropriate variables (i.e. the
$_SERVER array) to a file (hint: see print_r()) so you can see exactly
what the script is getting. Then follow your logic with those values to
see what's going on.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Digest Authentication [message #179868 is a reply to message #179865] |
Fri, 14 December 2012 04:15 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/13/2012 7:49 PM, dhtmlkitchen(at)gmail(dot)com wrote:
> Hi,
>
> I am trying to implement a password protected area of a site. I have never done this before.
>
> HTTP digest authentication seemed suitable for our low-level security requirements.
>
> Here is our PHP 5.3.6 configuration:
> http://thai-massage.com/phpinfo.php
>
> Here is the script I am using, from PHP.net:
> http://php.net/manual/en/features.http-auth.php#example-349
>
> The script is running here:
> http://thai-massage.com/dollar-school/PHP-PayPal-IPN-master/example/auth.ph p
>
> The login credentials are hard coded for sake of example. Eventually I want to get the password from a MySQL database.
>
> Results:
> * Cancel: "Text to send if user hits Cancel button"
> * Correct Login (guest/guest): Displays login prompt again
> * Incorrect Login (a/s): Displays login prompt again
>
> Expected results:
> * Cancel: "Text to send if user hits Cancel button"
> * Correct login (guest/guest): 'You are logged in as: guest"
> * Incorrect login: "Wrong Credentials!"
>
> Cancel is doing what I expect, but the login does not.
>
> What am I doing wrong? How can I get the result I want?
>
One other point - this is NOT a very good script. For instance, you
should NEVER use die() on a production system, especially for a
non-critical error. die() terminates processing of the page
immediately, resulting in invalid HTML at the browser.
Additionally, I think a very low percentage of PHP sites use such
authentication. Most have their own login page (using https protocol).
Once the user logs in, the script sets the appropriate information in
the $_SESSION array. Pages which require login just check for the
necessary data in the $_SESSION array, and if incorrect, redirect the
user to the login page. If the data are correct, the script just
continues with what it's supposed to do.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
| Re: Digest Authentication [message #179913 is a reply to message #179868] |
Wed, 19 December 2012 01:55 |
dhtmlkitchen
Messages: 4
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>
>> I am trying to implement a password protected area of a site. I have never done this before.
[...]
> One other point - this is NOT a very good script. For instance, you
> should NEVER use die() on a production system, especially for a
> non-critical error. die() terminates processing of the page
> immediately, resulting in invalid HTML at the browser.
>
Wow, you're right!
Should I use `echo`?
When testing locally, after once entering wrong credentials, I
continue to get
`die('Wrong Credentials!');` and am given no opportunity to enter
correct credentials.
1. click "cancel"
2. reload.
3. enter wrong credentials and click "login"
4. reload.
Desired result:
Prompt for login credentials.
Actual result:
"Wrong Credentials!"
Is PHP_AUTH_DIGEST set automatically? And how and where in the script?
Also, what should I look for in print_r()?
> Additionally, I think a very low percentage of PHP sites use such
> authentication. Most have their own login page (using https protocol).
I'm not sure if we can do https here (it's a small, low budget project
on Yahoo Small Business). For our app, we'll use a PayPal IPN of $1 to
access the area of the site, and we're not worried MIM attack to get
free access. I convinced the site owner to use a managed, password-
protected area the site, in favor of password protecting the zip file
and zipping up the site contents and giving a "hidden" URL.
If HTTPS isn't in budget, I'll try to amend the linked digest script.
If I'm on the wrong track, please advise other strategies for this
simple app.
Thank you,
--
Garrett
|
|
|
|
| Re: Digest Authentication [message #179915 is a reply to message #179913] |
Wed, 19 December 2012 02:08 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/18/2012 8:55 PM, xkit wrote:
> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>
>>> I am trying to implement a password protected area of a site. I have never done this before.
>
> [...]
>
>> One other point - this is NOT a very good script. For instance, you
>> should NEVER use die() on a production system, especially for a
>> non-critical error. die() terminates processing of the page
>> immediately, resulting in invalid HTML at the browser.
>>
> Wow, you're right!
>
> Should I use `echo`?
>
> When testing locally, after once entering wrong credentials, I
> continue to get
> `die('Wrong Credentials!');` and am given no opportunity to enter
> correct credentials.
>
>
> 1. click "cancel"
> 2. reload.
> 3. enter wrong credentials and click "login"
> 4. reload.
>
> Desired result:
> Prompt for login credentials.
>
> Actual result:
> "Wrong Credentials!"
>
> Is PHP_AUTH_DIGEST set automatically? And how and where in the script?
> Also, what should I look for in print_r()?
>
>> Additionally, I think a very low percentage of PHP sites use such
>> authentication. Most have their own login page (using https protocol).
>
> I'm not sure if we can do https here (it's a small, low budget project
> on Yahoo Small Business). For our app, we'll use a PayPal IPN of $1 to
> access the area of the site, and we're not worried MIM attack to get
> free access. I convinced the site owner to use a managed, password-
> protected area the site, in favor of password protecting the zip file
> and zipping up the site contents and giving a "hidden" URL.
>
> If HTTPS isn't in budget, I'll try to amend the linked digest script.
>
> If I'm on the wrong track, please advise other strategies for this
> simple app.
>
> Thank you,
> --
> Garrett
>
If you're doing ecommerce (even if you're using Paypal), you NEED to use
https. Otherwise your site is NOT secure. It is too easy to intercept
the data being entered - i.e. someone using a wireless hot spot, on a
cable modem at home or any of a couple of dozen other connections will
easily allow a hacker to get everything he/she wants.
And if your site is hacked, the cost of NOT using it is much, much
higher than the cost of using it. If you can't afford it, you can't
afford the site.
Read M. Strobel's post. And if you're not familiar with creating a
secure site, hire someone who is. This is not a job for a beginner.
And BTW - giving a "hidden URL" is no security at all.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Digest Authentication [message #179921 is a reply to message #179915] |
Wed, 19 December 2012 17:40 |
dhtmlkitchen
Messages: 4
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
> On 12/18/2012 8:55 PM, xkit wrote:
>
>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>
[snip entire quoted message NOTE:
Never fullquote on USENET (quotes the whole message, signature). QUote *only* the parts you are replying to. Otherwise, there is no dialogue; no back and forth.
When replying type your reply, then review the entire message.
> If you're doing ecommerce (even if you're using Paypal), you NEED to use
>
> https. Otherwise your site is NOT secure. It is too easy to intercept
>
What it?
There are a lot of sites that navigate from http (not https) site to paypal.. Are you telling me that this is a security issue? And if not, then where exactly do *you* see the security hole and what do you see being at risk (you wrote "everything" (including the moon?)).
> the data being entered - i.e. someone using a wireless hot spot, on a
>
> cable modem at home or any of a couple of dozen other connections will
>
> easily allow a hacker to get everything he/she wants.
>
Again, what is everything [that the hacker wants]? And how does any hacker get all of these things? Please explain, if you can.
>
>
> And if your site is hacked, the cost of NOT using it is much, much
>
> higher than the cost of using it. If you can't afford it, you can't
>
> afford the site.
>
>
>
> Read M. Strobel's post. And if you're not familiar with creating a
>
"This is a feature that is offered completely functional by the web server. " ...
> secure site, hire someone who is. This is not a job for a beginner.
>
Apparently noone here is qualified or willing to explain this task. I'm sure someone has made a secure site and is capable of reading, understanding, making security assessment and giving technical advise.
>
>
> And BTW - giving a "hidden URL" is no security at all.
>
And that is why I advised the client to not do that, AISB.
--
Garrett
|
|
|
|
| Re: Digest Authentication [message #179924 is a reply to message #179921] |
Wed, 19 December 2012 20:02 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/19/2012 12:40 PM, dhtmlkitchen(at)gmail(dot)com wrote:
> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
>> On 12/18/2012 8:55 PM, xkit wrote:
>>
>>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>
>>>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>
> [snip entire quoted message NOTE:
> Never fullquote on USENET (quotes the whole message, signature). QUote *only* the parts you are replying to. Otherwise, there is no dialogue; no back and forth.
>
> When replying type your reply, then review the entire message.
>
I will quote what I feel is appropriate. In this case, it was ALL
appropriate.
>> If you're doing ecommerce (even if you're using Paypal), you NEED to use
>>
>> https. Otherwise your site is NOT secure. It is too easy to intercept
>>
> What it?
>
> There are a lot of sites that navigate from http (not https) site to paypal. Are you telling me that this is a security issue? And if not, then where exactly do *you* see the security hole and what do you see being at risk (you wrote "everything" (including the moon?)).
>
It's not just PayPal involved in your site security. Oh, but I forgot.
You didn't want me to quote the appropriate text.
>> the data being entered - i.e. someone using a wireless hot spot, on a
>>
>> cable modem at home or any of a couple of dozen other connections will
>>
>> easily allow a hacker to get everything he/she wants.
>>
> Again, what is everything [that the hacker wants]? And how does any hacker get all of these things? Please explain, if you can.
>
Exactly what I said. But I'm not going to even try to explain basic
Internet security to someone who obviously has no clue.
>>
>>
>> And if your site is hacked, the cost of NOT using it is much, much
>>
>> higher than the cost of using it. If you can't afford it, you can't
>>
>> afford the site.
>>
>>
>>
>> Read M. Strobel's post. And if you're not familiar with creating a
>>
> "This is a feature that is offered completely functional by the web server. " ...
>
That doesn't mean it is secure. And in this case, it definitely IS NOT.
>> secure site, hire someone who is. This is not a job for a beginner.
>>
> Apparently noone here is qualified or willing to explain this task. I'm sure someone has made a secure site and is capable of reading, understanding, making security assessment and giving technical advise.
>
Yes, I'm qualified to explain it. But I'm not even going to try in a
newsgroup post. It's way too big.
>>
>>
>> And BTW - giving a "hidden URL" is no security at all.
>>
> And that is why I advised the client to not do that, AISB.
>
At least that's a start. But again - I suggest you get someone who
UNDERSTANDS security. It's much more than cutting and pasting some code
you found on a web site (even if it is php.net). You obviously don't,
and it's way too important.
And once again, it's way too complicated to even try to begin to explain
over usenet. Understanding real security takes a LOT of time and learning.
That's why you haven't gotten more detailed answers here.
And BTW - I build secure sites all the time. They ALL include https -
but NONE of them include web server authentication. It's barely ok for
low security sites, but not ecommerce.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Digest Authentication [message #179927 is a reply to message #179921] |
Wed, 19 December 2012 20:30 |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Wed, 19 Dec 2012 09:40:52 -0800 (PST), dhtmlkitchen(at)gmail(dot)com wrote:
> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
>> On 12/18/2012 8:55 PM, xkit wrote:
>>
>>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>
>>>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>
> [snip entire quoted message NOTE:
> Never fullquote on USENET (quotes the whole message, signature). QUote *only* the parts you are replying to. Otherwise, there is no dialogue; no back and forth.
>
> When replying type your reply, then review the entire message.
Sorry, but I'm not taking USENET lessons from someone who doesn't wrap
his lines at 72 characters, as the good lard intended....
--
54. I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.
--Peter Anspach's list of things to do as an Evil Overlord
|
|
|
|
| Re: Digest Authentication [message #179930 is a reply to message #179927] |
Wed, 19 December 2012 22:26 |
Twayne
Messages: 135
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In news:slrnkd48uu(dot)4ja(dot)hellsop(at)nibelheim(dot)ninehells(dot)com,
Peter H. Coffin <hellsop(at)ninehells(dot)com> typed:
> On Wed, 19 Dec 2012 09:40:52 -0800 (PST),
> dhtmlkitchen(at)gmail(dot)com wrote:
>> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry
>> Stuckle wrote:
>>> On 12/18/2012 8:55 PM, xkit wrote:
>>>
>>>> On Dec 13, 8:15 pm, Jerry Stuckle
>>>> <jstuck...@attglobal.net> wrote:
>>>
>>>> > On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>>
>> [snip entire quoted message NOTE:
>> Never fullquote on USENET (quotes the whole message,
>> signature). QUote *only* the parts you are replying to.
>> Otherwise, there is no dialogue; no back and forth.
And it limits responses too, if the reader only sees part of the problem
when the original post has been read already and is no longer visible. I
don't reassemble messages to get the original for anyone unless it's a rare
case.
>>
>> When replying type your reply, then review the entire
>> message.
>
> Sorry, but I'm not taking USENET lessons from someone who
> doesn't wrap his lines at 72 characters, as the good lard
> intended....
LOL! Good point! Same here. Whoever you mean there probably has a 200"
monitor in front of him and ... . I have a 24" LED but I don't set line
lengths to settings I know will annoy people.
A lot of people DO "fullquote" and it's not necessarily bad depending on the
length of the message.
IMO there always has to be enough of the original problem left so that
others don't have to reassemble read messages to see what it's all about. If
that's from stukey it's understandable - I don't read his posts anymore,
period. He just loves to thorn people in the ass and then proclaim how great
he is. Actually I don't generally even read replies to him anymore.
HTH,
Twayne`
|
|
|
|
| Re: Digest Authentication [message #179935 is a reply to message #179921] |
Thu, 20 December 2012 01:02 |
Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 12/19/2012 9:40 AM, dhtmlkitchen(at)gmail(dot)com wrote:
> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
>> On 12/18/2012 8:55 PM, xkit wrote:
>>
>>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>
>>>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>
> [snip entire quoted message NOTE:
> Never fullquote on USENET (quotes the whole message, signature). QUote *only* the parts you are replying to. Otherwise, there is no dialogue; no back and forth.
>
> When replying type your reply, then review the entire message.
>
>> If you're doing ecommerce (even if you're using Paypal), you NEED to use
>>
>> https. Otherwise your site is NOT secure. It is too easy to intercept
>>
> What it?
>
> There are a lot of sites that navigate from http (not https) site to paypal. Are you telling me that this is a security issue? And if not, then where exactly do *you* see the security hole and what do you see being at risk (you wrote "everything" (including the moon?)).
>
>> the data being entered - i.e. someone using a wireless hot spot, on a
>>
>> cable modem at home or any of a couple of dozen other connections will
>>
>> easily allow a hacker to get everything he/she wants.
>>
> Again, what is everything [that the hacker wants]? And how does any hacker get all of these things? Please explain, if you can.
>
>>
>>
>> And if your site is hacked, the cost of NOT using it is much, much
>>
>> higher than the cost of using it. If you can't afford it, you can't
>>
>> afford the site.
>>
>>
>>
>> Read M. Strobel's post. And if you're not familiar with creating a
>>
> "This is a feature that is offered completely functional by the web server. " ...
>
>> secure site, hire someone who is. This is not a job for a beginner.
>>
> Apparently noone here is qualified or willing to explain this task. I'm sure someone has made a secure site and is capable of reading, understanding, making security assessment and giving technical advise.
>
>>
>>
>> And BTW - giving a "hidden URL" is no security at all.
>>
> And that is why I advised the client to not do that, AISB.
>
(FULLQUOTE)
Kitchen I doubt you are going to get any additional help around here
with your attitude.
Jerry was pointing out the vulnerabilities of the code used and unless
you have stock in that code or wrote it yourself, why get so defensive?
His points are very valid whether you disagree or dislike them. If you
expect FREE help for your potentially litigious issues, you may want to
humble yourself a bit.
Scotty
|
|
|
|
| Re: Digest Authentication [message #179937 is a reply to message #179924] |
Thu, 20 December 2012 04:59 |
dhtmlkitchen
Messages: 4
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
On Wednesday, December 19, 2012 12:02:21 PM UTC-8, Jerry Stuckle wrote:
> On 12/19/2012 12:40 PM, dhtmlkitchen(at)gmail(dot)com wrote:
>
>> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
>
>>> On 12/18/2012 8:55 PM, xkit wrote:
>
>>>
>
>>>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>>>
>
>>>> > On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>
>>>
>
>> [snip entire quoted message NOTE:
>
>> Never fullquote on USENET (quotes the whole message, signature). QUote *only* the parts you are replying to. Otherwise, there is no dialogue; no back and forth.
>
>>
>
>> When replying type your reply, then review the entire message.
>
>>
>
>
>
> I will quote what I feel is appropriate. In this case, it was ALL
>
> appropriate.
>
>
>
>>> If you're doing ecommerce (even if you're using Paypal), you NEED to use
>
>>>
>
>>> https. Otherwise your site is NOT secure. It is too easy to intercept
>
>>>
>
>> What it?
>
>>
>
>> There are a lot of sites that navigate from http (not https) site to paypal. Are you telling me that this is a security issue? And if not, then where exactly do *you* see the security hole and what do you see being at risk (you wrote "everything" (including the moon?)).
>
>>
>
>
>
> It's not just PayPal involved in your site security. Oh, but I forgot.
>
> You didn't want me to quote the appropriate text.
>
>
>
>>> the data being entered - i.e. someone using a wireless hot spot, on a
>
>>>
>
>>> cable modem at home or any of a couple of dozen other connections will
>
>>>
>
>>> easily allow a hacker to get everything he/she wants.
>
>>>
>
>> Again, what is everything [that the hacker wants]? And how does any hacker get all of these things? Please explain, if you can.
>
>>
>
>
>
> Exactly what I said. But I'm not going to even try to explain basic
>
> Internet security to someone who obviously has no clue.
Uh huh. So when asked to explain your dubious statements, you superciliously declined.
You're not making a very good impression so far :-(.
>
>>> And if your site is hacked, the cost of NOT using it is much, much
>
>>>
>
>>> higher than the cost of using it. If you can't afford it, you can't
>
>>>
>
>>> afford the site.
>
>>>
>
>>>
>
>>>
>
>>> Read M. Strobel's post. And if you're not familiar with creating a
>
>>>
>
>> "This is a feature that is offered completely functional by the web server. " ...
>
>>
>
>
>
> That doesn't mean it is secure. And in this case, it definitely IS NOT.
>
Whatever you mean by *it* is not specifically clear.
>
>
>>> secure site, hire someone who is. This is not a job for a beginner.
>
Haughtily having a hard time explaining yourself?
>>>
>
>> Apparently noone here is qualified or willing to explain this task. I'm sure someone has made a secure site and is capable of reading, understanding, making security assessment and giving technical advise.
>
>>
>
>
>
> Yes, I'm qualified to explain it.
Yep, you've sure made clear your ability to explain things.
But I'm not even going to try in a
>
> newsgroup post. It's way too big.
>
That sounds like something you'd say.
>
>
>>>
>
>>>
>
>>> And BTW - giving a "hidden URL" is no security at all.
>
>>>
>
>> And that is why I advised the client to not do that, AISB.
>
>>
>
>
>
> At least that's a start. But again - I suggest you get someone who
>
> UNDERSTANDS security.
Better yet, someone who can explain what he claims to understand.
It's much more than cutting and pasting some code
>
> you found on a web site (even if it is php.net). You obviously don't,
>
> and it's way too important.
>
>
>
> And once again, it's way too complicated to even try to begin to explain
>
> over usenet. Understanding real security takes a LOT of time and learning.
I see. Sorry you're having such a hard time explaining yourself!
>
>
>
> That's why you haven't gotten more detailed answers here.
>
>
>
> And BTW - I build secure sites all the time. They ALL include https -
>
> but NONE of them include web server authentication. It's barely ok for
>
> low security sites, but not ecommerce.
>
Concluding with a vague generalization. I get you.
--
Garrett
|
|
|
|
| Re: Digest Authentication [message #179938 is a reply to message #179921] |
Thu, 20 December 2012 08:57 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 19.12.2012 18:40, schrieb dhtmlkitchen(at)gmail(dot)com:
> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
>> On 12/18/2012 8:55 PM, xkit wrote:
>>
>>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>
>>>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>
--cut--
>> If you're doing ecommerce (even if you're using Paypal), you NEED to use
>>
>> https. Otherwise your site is NOT secure. It is too easy to intercept
>>
> What it?
>
> There are a lot of sites that navigate from http (not https) site to paypal. Are you telling me that this is a security issue? And if not, then where exactly do *you* see the security hole and what do you see being at risk (you wrote "everything" (including the moon?)).
>
People doing stupid things are only an example of "how not to do it".
HTTP is like a postcard: everybody transporting it can read it. Same thing with e-mail.
When you are at home using the internet, you know the data packets go straight to
your provider, you suppose he has no interest in reading it. When you are in an
internet cafe, you never know.
/Str.
|
|
|
|
|
|
| Re: Digest Authentication [message #179940 is a reply to message #179938] |
Thu, 20 December 2012 19:06 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/20/2012 3:57 AM, M. Strobel wrote:
> Am 19.12.2012 18:40, schrieb dhtmlkitchen(at)gmail(dot)com:
>> On Tuesday, December 18, 2012 6:08:59 PM UTC-8, Jerry Stuckle wrote:
>>> On 12/18/2012 8:55 PM, xkit wrote:
>>>
>>>> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>>>
>>>> > On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>>
> --cut--
>
>>> If you're doing ecommerce (even if you're using Paypal), you NEED to use
>>>
>>> https. Otherwise your site is NOT secure. It is too easy to intercept
>>>
>> What it?
>>
>> There are a lot of sites that navigate from http (not https) site to paypal. Are you telling me that this is a security issue? And if not, then where exactly do *you* see the security hole and what do you see being at risk (you wrote "everything" (including the moon?)).
>>
>
> People doing stupid things are only an example of "how not to do it".
>
> HTTP is like a postcard: everybody transporting it can read it. Same thing with e-mail.
>
> When you are at home using the internet, you know the data packets go straight to
> your provider, you suppose he has no interest in reading it. When you are in an
> internet cafe, you never know.
>
> /Str.
>
Even at home your packets are not safe. For instance, if you're using a
cable modem, you'll be on the same cable as everyone else in your
neighborhood. And with a little bit of free software (basically the
same as they use at the internet cafe), it's not hard at all for a
hacker to see ALL the traffic on that cable.
And it's not necessarily your neighbor - it could be someone on an
entirely different continent who got a trojan on your neighbor's computer.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Digest Authentication [message #179941 is a reply to message #179935] |
Fri, 21 December 2012 01:17 |
Twayne
Messages: 135
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In news:kato3h$fup$1(at)dont-email(dot)me,
Scott Johnson <noonehome(at)chalupasworld(dot)com> typed:
>>
> (FULLQUOTE)
>
> Kitchen I doubt you are going to get any additional help
> around here with your attitude.
> Jerry was pointing out the vulnerabilities of the code
> used and unless you have stock in that code or wrote it
> yourself, why get so defensive?
> His points are very valid whether you disagree or dislike
> them. If you expect FREE help for your potentially
> litigious issues, you may want to humble yourself a bit.
>
> Scotty
I have to disagree with you; IMO he's a narcissistic egomainiac and never
really answers a question. If he spent the time on a solution that he does
on a dozen or so extraneous things, he might be useful, but he's not. It's
been so long since I've seen him other than severaly lacking in
Interpersonal Skills and an inability to profer solutions, I finally quit
reading him altogether.
No loss and no skin off anyone's nose.
HTH,
Twayne`
|
|
|
|
| Re: Digest Authentication [message #179942 is a reply to message #179941] |
Fri, 21 December 2012 04:10 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/20/2012 8:17 PM, Twayne wrote:
> In news:kato3h$fup$1(at)dont-email(dot)me,
> Scott Johnson <noonehome(at)chalupasworld(dot)com> typed:
>
>>>
>> (FULLQUOTE)
>>
>> Kitchen I doubt you are going to get any additional help
>> around here with your attitude.
>> Jerry was pointing out the vulnerabilities of the code
>> used and unless you have stock in that code or wrote it
>> yourself, why get so defensive?
>> His points are very valid whether you disagree or dislike
>> them. If you expect FREE help for your potentially
>> litigious issues, you may want to humble yourself a bit.
>>
>> Scotty
>
> I have to disagree with you; IMO he's a narcissistic egomainiac and never
> really answers a question. If he spent the time on a solution that he does
> on a dozen or so extraneous things, he might be useful, but he's not. It's
> been so long since I've seen him other than severaly lacking in
> Interpersonal Skills and an inability to profer solutions, I finally quit
> reading him altogether.
> No loss and no skin off anyone's nose.
>
> HTH,
>
> Twayne`
>
>
Yup, trolls do tend to feel that way. And I have no patience for them.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Digest Authentication [message #179943 is a reply to message #179941] |
Fri, 21 December 2012 10:19 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 21/12/12 01:17, Twayne wrote:
> In news:kato3h$fup$1(at)dont-email(dot)me,
> Scott Johnson <noonehome(at)chalupasworld(dot)com> typed:
>
>>>
>> (FULLQUOTE)
>>
>> Kitchen I doubt you are going to get any additional help
>> around here with your attitude.
>> Jerry was pointing out the vulnerabilities of the code
>> used and unless you have stock in that code or wrote it
>> yourself, why get so defensive?
>> His points are very valid whether you disagree or dislike
>> them. If you expect FREE help for your potentially
>> litigious issues, you may want to humble yourself a bit.
>>
>> Scotty
>
> I have to disagree with you; IMO he's a narcissistic egomainiac and never
> really answers a question. If he spent the time on a solution that he does
> on a dozen or so extraneous things, he might be useful, but he's not. It's
> been so long since I've seen him other than severaly lacking in
> Interpersonal Skills and an inability to profer solutions, I finally quit
> reading him altogether.
> No loss and no skin off anyone's nose.
>
> HTH,
>
> Twayne`
>
>
+1
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: Digest Authentication [message #179961 is a reply to message #179868] |
Sat, 22 December 2012 19:15 |
legalize+jeeves
Messages: 21
Registered: September 2010
Karma: 0
|
Junior Member |
|
|
[Please do not mail me a copy of your followup]
Jerry Stuckle <jstucklex(at)attglobal(dot)net> spake the secret code
<kae95p$7m5$1(at)dont-email(dot)me> thusly:
> Additionally, I think a very low percentage of PHP sites use such
> authentication. Most have their own login page (using https protocol).
> Once the user logs in, the script sets the appropriate information in
> the $_SESSION array. Pages which require login just check for the
> necessary data in the $_SESSION array, and if incorrect, redirect the
> user to the login page. If the data are correct, the script just
> continues with what it's supposed to do.
I recently implemented this exact mechanism for an open source project.
Additionally, I would add that you shouldn't store cleartext passwords
in the database, but instead store a crytographic hash of the password
and compare hashes to authenticate. This means that if someone gets
ahold of your database, they still don't know cleartext passwords.
My implementation is located here: <http://manx.codeplex.com>
--
"The Direct3D Graphics Pipeline" free book <http://tinyurl.com/d3d-pipeline>
The Computer Graphics Museum <http://computergraphicsmuseum.org>
The Terminals Wiki <http://terminals.classiccmp.org>
Legalize Adulthood! (my blog) <http://legalizeadulthood.wordpress.com>
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]