Re: LiveUser externalValues?

Thread: Re: LiveUser externalValues?

Search this list only Search all lists
Re: LiveUser externalValues?
	2007-05-23 10:45:52
>Hi, > >I just wonder what is the use of LiveUser::setExternalValues() and >LiveUser::externalValuesMatch() ? > >I can not understand from the doc comments. > >Thanks. > >Regards, >Matthias Hi Matthias, this is a way to hinder/complicate session hijacking. You can define any kind of values like the user's ip address, user agent, charset whatever. This will be stored in the session on successful login and then validated with the current values on each page request. When the values that were stored on login do not match with the current values, the user will be denied access. You can define it in the config for the auth container like this: 'externalValues' => array('values' => $_SERVER, // any kind of array 'keysToCheck' => array('HTTP_USER_AGENT')) // keys existent in the array from above This means the user agent will be compared to the value in $_SERVER on each page request after the login. You don't need to rely on $_SERVER, you can also use values of your own. Best regards, Torsten -- PEAR Development Mailing List (http://pear.php.net/) To unsubscribe, visit: http://www.php.net/unsub .php

Re: Re: LiveUser externalValues?
	2007-05-23 10:52:11
roehrzilleon.com wrote: >> Hi, >> >> I just wonder what is the use of LiveUser::setExternalValues() and >> LiveUser::externalValuesMatch() ? >> >> I can not understand from the doc comments. >> >> Thanks. >> >> Regards, >> Matthias > > Hi Matthias, > > this is a way to hinder/complicate session hijacking. You can define any kind of values like the user's ip address, user agent, charset whatever. This will be stored in the session on successful login and then validated with the current values on each page request. When the values that were stored on login do not match with the current values, the user will be denied access. > > You can define it in the config for the auth container like this: > 'externalValues' => array('values' => $_SERVER, // any kind of array > 'keysToCheck' => array('HTTP_USER_AGENT')) // keys existent in the array from above > > This means the user agent will be compared to the value in $_SERVER on each page request after the login. > > You don't need to rely on $_SERVER, you can also use values of your own. > Ahh, thanks for making this clear to me. Sounds like a useful feature. Regards, Matthias -- PEAR Development Mailing List (http://pear.php.net/) To unsubscribe, visit: http://www.php.net/unsub .php

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )