[TYPO3-dev] einfachen User Login in einer Session speichern?
David Bruchmann
typo3-dev at bruchmann-web.de
Wed Jul 29 23:49:15 CEST 2009
----- Ursprüngliche Nachricht -----
Von: Gerhard Mehsel <sparking at gmx.net>
Gesendet: Dienstag, 21. Juli 2009 09:45:36
An: typo3-dev at lists.netfielders.de
CC:
Betreff: Re: [TYPO3-dev] einfachen User Login in einer Session speichern?
> I want to set the user data like this:
> $GLOBALS["TSFE"]->fe_user->setKey("user","password", 12346);
>
> My question: is this kind of TYPO3 session save enough to put the
> username and password in it or should I store this information in an
> other way?
Normally it's no goog idea to save passwords or other personal data in
sessions. If it's really needed you've to assure that the page or the
session can't be read from "men in the middle" or hijacked at all.
For general information:
http://www.heise.de/security/Einfallstor-Browser--/artikel/115254 [de]
http://insecure.org/
Both links don't cover all possible security-holes I think, but it's a
start for informing yourself.
By the way: "men in the middle" often are in the own or the customers
company. So they have access to logarithms do decode weak and bad
encrypted passwords (or without salt in passwords they just use
rainbowtables). Saving (and transmitting) unencrypted passwords in
sessions is unbelievable anyway.
Best regards
David
More information about the TYPO3-dev
mailing list