<div dir="ltr">On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont <span dir="ltr"><<a href="mailto:corentin.dupont@gmail.com" target="_blank">corentin.dupont@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Chris,<br>Thanks!<br>That's true for the user number. What should I do? Encrypt it?</blockquote><div><br></div><div>It's not that you have a user number, or even that it's accessible: it's that it's the entirety of access control, meaning that if the user changes it they can masquerade as another user. The correct solution is that a user should authenticate, which creates a session hash that you stash away and also send back to the user as a cookie so the browser will present it on accesses. Then you check that the presented hash is there and matches the session hash. These should expire periodically, requiring the user to log back in again.</div>
<div><br></div></div>-- <br><div dir="ltr"><div>brandon s allbery kf8nh sine nomine associates</div><div><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a> <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></div>
<div>unix, openafs, kerberos, infrastructure, xmonad <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div>
</div>