Cookieless sessions, passports, or other methods

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Cookieless sessions, passports, or other methods

Postby nakins » Sat Mar 26, 2011 11:17 pm

I'm stepping up into managed user territory and I'm trying to find out what the "state of the art" is or the options are besides the usual cookies and php sessions. For my site's purpose, I'm interested in using Shibboleth and LDAP to authenticate users. I've been working on setting up the LDAP server and have it to a point where I can consider other things like sessions/user tracking, plus iframe and wap applications.

In my day job, I work with a couple of web applications from a couple of vendors that can really pull a vacuum at times. It is largely related to how they use cookies and sessions. I don't mind using first party cookies, but they are going to be problematic for iframes and cell phone apps. I thought is there was a better way to deal with all this, I might as well learn it now.

I've done a little searching on cookieless sessions, but haven't found much yet that was new or authoritative. I read a thread here that mentioned passports, but it wasn't explained.

I would really like to hear your opinions and suggestions on things I've mentioned.

Thank you
nakins
Forum Newbie
 
Posts: 8
Joined: Sat Oct 13, 2007 2:46 pm

Re: Cookieless sessions, passports, or other methods

Postby Mordred » Sun Mar 27, 2011 2:48 am

Whatever the authentication scheme you want to use is, you have to somehow identify the user in the end. In order to do it without stepping out of the HTTP transport you have to pass the identification token on the HTTP stream. From that point of view, whether you use one-time passwords, session ids, client sertificates or whatever, the token must travel in the HTTP request line (i.e. as a GET parameter), in a HTTP header (as a cookie for example) or in the body (as a POST form parameter). If some of these transport options doesn't suit you (e.g., a browser not supporting cookies) then choose another. If you don't like any of the three, then use another transport.
Things need not have happened to be true. Tales and dreams are the shadow-truths that will endure when mere facts are dust and ashes, and forgot.
Image
My security blog. (not updated lately)
The Unexpected SQL Injection (article) (.txt, cause the .html version is broken)
Password hashing howto (and how not to) (article)
Salt strengths (article)
User avatar
Mordred
DevNet Resident
 
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Cookieless sessions, passports, or other methods

Postby nakins » Sun Mar 27, 2011 1:44 pm

Thanks. That really clarified everything.
nakins
Forum Newbie
 
Posts: 8
Joined: Sat Oct 13, 2007 2:46 pm


Return to PHP - Security

Who is online

Users browsing this forum: Exabot [Bot] and 0 guests