[OWASP_PHPSEC] Session Management Library : Adding location of sessions
shivamd001 at gmail.com
Wed Sep 11 20:00:00 UTC 2013
Thank you for explaining me the point more clearly. I will design the
structure and will get back to you.
On Wed, Sep 11, 2013 at 10:07 PM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:
> The thing that Abbas suggested, is not something you would have to search.
> What he meant was that instead of using the session table itself for
> storing data, you should use a different table.
> With asynchronous he meant that you should design the function such that
> it could work alone and not come in between the process of
> storing/retrieving sessions. The reason for that is that if locating
> sessions take 200 ms, then storing sessions would be too slow and hence it
> will slow the overall app. Thus, the function should be such that it should
> run for only those who want this service, and even then the function should
> run independently of the app (possibly in background), so that the app does
> not have to worry about the location.
> With location you would also have to check if two login attempts are not
> made from two very far locations. E.g. I logged in from India this morning
> and second login is in US that same noon. That is not possible and hence
> must trigger some error, or log event or mail...etc....so if possible also
> try to design this mechanism.
> On Tue, Sep 10, 2013 at 4:05 PM, Shivam Dixit <shivamd001 at gmail.com>wrote:
>> Hello Abbas,
>> Thanks for explaining me the point. I will search on internet how this
>> can be implemented and then will come up with another idea.
>> On Tue, Sep 10, 2013 at 7:05 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> It needs to be plug-able (i.e creating its own tables, without any side
>>> effects) because not everybody wants the locations and the overhead
>>> assigned to them.
>>> It should also be able to retrive location databases automatically, and
>>> check for its requirements.
>>> It needs to work asynchronously, meaning that it should not block the
>>> session creation or update while it retrives the location (only if it takes
>>> more than a reasonable time, say 200 miliseconds). For how to do that, you
>>> have to google around.
>>> Any more elaboration?
>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>> integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body. Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> On Sep 10, 2013, at 9:21 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:
>>> Hello Abbas,
>>> Rahul told me that we have to *store session location* also, which is
>>> part of *phase 2* but I can work on it if I want to.
>>> Can you please elaborate a bit on "plug-able system that works
>>> asynchronously" ?
>>> On Tue, Sep 10, 2013 at 6:47 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>> It isn't a mandatory session function, and make the system very slow.
>>>> The better idea is to have it as a plug-able system that works
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
> Rahul Chaudhary
> Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project