|
Dan Eloff
dan.eloff at gmail.com
Wed Apr 26 11:33:44 EDT 2006
On 4/25/06, Joshua Ginsberg <listspam at flowtheory.net> wrote: > My suggestion then is that you encrypt in your database the personal > information about people where the key is the SHA1 digest of the user's > password. Make sure, of course, when you store their password, it is > stored using a different family of hashing algorithm. Then when you need > access to their personal information (e.g. credit card information) > prompt them for their password again and use it to decrypt their record. I wish I could do that, but my website needs access to that information while the user is not online, so I can't encrypt it. However, things like credit cards I can encrypt (and wouldn't feel safe storing them without doing that) > Generally good practice. It takes some care to ensure that possession of > the insecure SID does not gain the user access to the secure SID or any > information that the secure SID is required for. > Yes, I use a single handler as a dispatcher for my site, so I'm going to put the logic in there before control get's passed onto the rest of the site. If req.uri begins with /secure they will get redirected to the login screen unless the secure session cookie exists and passes the tests. Then It's just up to me to put everything important in the /secure directory. > > Investigate the SSLRequireSSL directive. > Thanks! -Dan
|