Quoting [EMAIL PROTECTED]:
[snip]
Couldn't I write my own cookie to fool the authentication into
thinking I'm somebody else?
[/snip]
I suppose that you could do that if you were savvy enough to realize
that automatic login to the intranet used a cookie for authentication
and you knew how to format the cookie and properly hash a checksum
stored in the cookie. The user information stored in the cookie would be
verified against the AD via LDAP.
First, let me apologize for having to take it to a basic level. I'll
admit that I'm fairly new to web development, but this is something I
could *really* use at work and I want to make sure I understand (just
to set the stage, we use Windows/Active Directory/MS SQL Server at
work, but have decided that future applications will be written in PHP
run on Linux/Apache).
So I have a login script that sets a cookie when the user logs in.
Then I have an application written in PHP that reads the cookie for
authentication purposes.
What would I store in the cookie? Would the username be sufficient
(since the cookie was set, we can assume that it was already
authenticated through AD, right), or is there something more I can add
to the cookie to make the process more secure?
Which leads back to my original question; what would keep me from
setting a cookie with, say, my manager's username, fooling the PHP
application into thinking I'm her?
I can't help but feel like I'm missing something.
Thanks,
Rick
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
