FUDforum: comp.lang.php » Sanitizing user input

Home » Imported messages » comp.lang.php » Sanitizing user input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitizing user input [message #169897 is a reply to message #169893]

Wed, 29 September 2010 16:21

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 9/29/2010 9:47 AM, Web Dreamer wrote:
> Jerry Stuckle a écrit ce mercredi 29 septembre 2010 12:57 dans
> <i7v63r$7hh$1(at)news(dot)eternal-september(dot)org> :
>
>> On 9/29/2010 4:01 AM, Web Dreamer wrote:
>>> We are talking about "web applications", not "web sites".
>>> Small companies can not afford more servers than employees to host web
>>> apps (not web sites) useful for their employees.
>>> See my other reply in this thread.
>>>
>>
>> That is true. And even small companies want their site to provide one
>> consistent interface. What you have is a bunch of different
>> applications thrown together with no consistency between them.
>
> Depends, some can be consistent, but will "require" different logins and
> separate sessions.
>
> Some not.
>
> i.e. an application may be accessed ONLY by HR, and you do not want the HR
> to be automatically logged in this application (for security reasons) if
> he/she's logged in another application : you separate session handling (but
> can be linked to same user database)
> handling sessions separately does not mean you have to separate everything.
> This makes sure you are not logged in an application automatically after
> having logged in another, if you want separate sessions for security
> reasons.
>
> Explain why you would have inconsistency?
>

You have inconsistency because a person has to use multiple logins to
the same site to access different information. It means users not only
have to keep track of multiple userids/passwords for the same site, but
which userid/password accesses which information.

If you have completely separate applications, it is much better to have
them on separate sites - additionally, system software can further limit
access (i.e. only from certain ip addresses).

> Choosing consistency depends on the target and usage of the application, and
> can require to be totally separated concerning session handling even with
> consistency. I was only mentioning session handling.
>

Which affects consistency.

>> No
>> business which knows anything about the internet would want such on
>> their site. And only a code hacker would build such a site.
>
> No,
>
> Another example different from the one above:
>
> A shopkeeper can have two companies:
> A shoe shop
> A flower shop
> two different entities.
> They share one same server (same boss, different legal entities, and
> employees).
> You SURELY do not want to mix anything together! But the owner of the shops
> can afford only one server (2 or 3 employees in each shop), and you
> configure vhosts on the server.
>

No, and I would have two separate sites - one for each company. No
special session handling required, because each site can only access its
own cookies - and therefore only its own session information.

> Are you really sure you want top mix this?
> I seriously doubt it.
>
> Do you know any small business who would want to have mixed employee
> logins/accountability with another small business?
> Honestly... no...
> But sometimes they share a same "physical" server (same owner for the 2
> shops)
>

Nope, which is why they would have different sites. It makes no
difference whether they are on the same server or not - cookies are
domain specific, not server specific. One domain cannot access cookies
from another domain - it makes absolutely no difference whether they are
on the same server or not.

>>> Once you choose a session.name, you keep the same for the whole web app
>>> of course (otherwise everything would brake).
>>> What I mean is that for a "new app" you need a "new session.name" and you
>>> will keep this same session.name for the whole application of course.
>>>
>>> If you do not think of choosing a session.name for an application when
>>> you create it, and that you are asked to install this application on a
>>> server which already runs other applications (not sites), you risk
>>> clashes if they all use the same session.name.
>>>
>>
>> And you still run that same risk because some other application may have
>> chosen the same name. If you must separate your information, you should
>> use some prefix for your session array keys.
>
> There is much less risk, but indeed you are right about adding also a
> prefix.
>
> And again, separating sessions does not necessarily mean separating
> information.
>

Yes, it does - because scripts using one session cookie will not be able
to access data from the other session cookie.

> Sometimes you want things totally separated.
> Sometimes only "sessions" to be separated.
>
> And it's the one who pays you who decides.
>

So, you use different domains and different hosts. No problem at all,
and separation of session information is guaranteed.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		Sanitizing user input By: MikeB on Fri, 24 September 2010 05:42
		Re: Sanitizing user input By: Helmut Chang on Fri, 24 September 2010 07:59
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:24
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 10:11
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 11:21
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 13:14
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 15:14
		Re: Sanitizing user input By: Michael Fesser on Tue, 28 September 2010 16:24
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:35
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:01
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 10:57
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:47
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:21
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:44
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:32
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:51
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 16:37
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:34
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 07:54
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:02
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 11:01
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:15
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:22
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:47
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:35
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:57
		Re: Sanitizing user input By: alvaro.NOSPAMTHANX on Fri, 24 September 2010 08:15
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:06
		Re: Sanitizing user input By: Michael Fesser on Fri, 24 September 2010 17:12

Previous Topic:	how to write a wsdl for php webservice?
Next Topic:	ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 18:36:13 GMT 2024

Total time taken to generate the page: 0.15710 seconds