NYCPHP Meetup

NYPHP.org

[nycphp-talk] Experts help needed (Sessions)

Dan Cech dcech at phpwerx.net
Thu Aug 11 09:21:12 EDT 2005


Joseph,

 From my understanding this is the opposite of what Chris was 
suggesting, because it does not adapt to usage patterns.

On the first page load set $_SESSION['HTTP_USER_AGENT']
Also set $_SESSION['HTTP_USER_AGENT_MATCHES'] = 1
On each page load, if the user agent matches what is stored, increment 
$_SESSION['HTTP_USER_AGENT_MATCHES'] by 1
If the user agent does not match, and the count of matching agents is 
greater than some threshold, then prompt for a password.

The idea is to protect people whose user agent does not change often 
without unduly penalising people whose user agent does (for whatever 
reason).

The fact that the system 'learns' from the activity of the user to offer 
the best balance between security and convenience is what sets a system 
like this apart from the majority of rigid systems.

It occurs to me that this would be a good structure to generalise and 
implement in an extensible class, as it can (and should) really be 
applied to many different security tasks.

Dan

Joseph Crawford wrote:
> Chris,
> 
> the current way i have things working is like this.
> 
> On the first page load set $_SESSION['HTTP_USER_AGENT']
> On the next page load compare the agents.
> If they dont match increment the counter
> otherwise continue on as normal
> 
> Once the counter hit's a limit of say 3 it shows the password box and tells 
> the user they need to verify they are the same user. If they enter the 
> correct password, everything is reset, otherwise a password check counter is 
> incremented. If they enter the password wrong 3 times the system will 
> destroy the session and assume it's not the correct user.
> 
> My questions is, did i get a clear understanding of what you were saying to 
> do and did i implement this the proper way according to your thoughts?



More information about the talk mailing list