The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
For anyone who is interested, the PHP Group have set up a PHP Security Consortium [URL]http://phpsec.org/[/URL].
Manic Moaner wrote:
> I haven't read the article, but session variables are stored on the
> server, not the client. The only thing the client browser stores is
> a session id.
> Encrypting things is the session isn't therefore needed.
Oh right, cool. I've never used sessions before in PHP - I just assumed they were the same as session cookies...
> I haven't read the article, but session variables are stored on the
> server, not the client. The only thing the client browser stores is
> a session id.
> Encrypting things is the session isn't therefore needed.
Oh right, cool. I've never used sessions before in PHP - I just assumed they were the same as session cookies...
Nimco wrote:
> It compares what someone copies from an image into a textbox with the
> passphrase stored in a session variable. All fairly routine. However
> does mean then that session variables are completely inaccessible by
> the client? If not, surely a bot could simply copy the session
> variable into the textbox?
>
I haven't read the article, but session variables are stored on the server, not the client. The only thing the client browser stores is a session id.
Encrypting things is the session isn't therefore needed.
> It compares what someone copies from an image into a textbox with the
> passphrase stored in a session variable. All fairly routine. However
> does mean then that session variables are completely inaccessible by
> the client? If not, surely a bot could simply copy the session
> variable into the textbox?
>
I haven't read the article, but session variables are stored on the server, not the client. The only thing the client browser stores is a session id.
Encrypting things is the session isn't therefore needed.
That looks promising. Just had a quick read through the article about the Turing test thingy with the text in an image.
It compares what someone copies from an image into a textbox with the passphrase stored in a session variable. All fairly routine. However does mean then that session variables are completely inaccessible by the client? If not, surely a bot could simply copy the session variable into the textbox?
A much more secure way surely would be to put, for example, an MD5 encrypted string of the image passphrase into a session variable, and simply MD5 their input to run the match? You could do this similarly with other encryption/hashing techniques.
It compares what someone copies from an image into a textbox with the passphrase stored in a session variable. All fairly routine. However does mean then that session variables are completely inaccessible by the client? If not, surely a bot could simply copy the session variable into the textbox?
A much more secure way surely would be to put, for example, an MD5 encrypted string of the image passphrase into a session variable, and simply MD5 their input to run the match? You could do this similarly with other encryption/hashing techniques.
For anyone who is interested, the PHP Group have set up a PHP Security Consortium [URL]http://phpsec.org/[/URL].