J2Ee Hosting, Sun Java Developing, Domain Name Hosting Blog

852Part VCase StudiesCookie-based authorization, as the name implies, relies upon special cookies to identifybrowser sessions belonging to trusted users. Often, the cookie must be set inside the firewall, so there is an element of IP authorization to this type of scheme also. The advantage ofcookie-based designs is that cookies are easy to implement and can be used by severalemployees at once. The disadvantage is that, by themselves, cookies are easy to spoof andhard to track because they embody authorization without authentication. If you have sixtrusted users in your organization that are empowered to take a certain action, with cookiesalone you won t know which of the six made a particular mistake. Database authorization relies on a more formal concept of permissions, either individual orgrouped into baskets. Individual permissions are stored in their own database tables, such aspermissionand user_permission. On each page load, the code checks to see whether thisparticular authenticated user has the particular permission necessary to use this particulartool. Baskets of permissions are often represented simply as a bit in the user table (is_adminor some such field). Database permissions are the most complicated to implement, but one ofthe safest designs. Furthermore, you can track individual actions with a database at a level ofgranularity not possible with the other schemes. Finally, IP-based permissions attempt to restrict use of certain tools to only those behind afirewall or on a particular subnet. You may, for example, allow only one development serverto connect to your live database on the other side of the firewall. IP-based plans should reallybe led by your IT staff or systems administrators because almost all the work and mainte- nance falls on them. If you, as the Web developer, do everything they tell you to do, but thenetwork is cracked anyway, the responsibility should fall on them. Obviously, IP-based autho- rization is non-authenticated unless you work in a locked room, it s very difficult to preventothers from sneaking up to your computer while you re away and using the browser-basedtool on your computer. Remember that any or all these basic methods can be combined for stronger security. Youcould have a system where all tools lived in a particular password-protected directory on aparticular server, for example, and would run only on that server, but permissions werestored on the live database in the field. This would combine basic auth, database, and IP- based authorization systems for a more secure result. Login as userLogging in as a particular user is not a tool per se. It may be something you must build it intothe structure of your entire site, depending on how you implement it and the particulars ofyour site architecture. For instance, you may have a special cookie that means, I m theadministrator, but I want to see this user s user page as if I were the user. If you used the registration and login code we laid out in the Registration and Login sec- tions of this chapter, you could easily write a tool to basically give a particular user s cookiesto the administrator of your site. Essentially, it would amount to using the login script with- out requiring a password or rather without requiring the password of the user whose pointof view you are taking. This would be an intrinsically insecure way to accomplish your task, and therefore should only be used in combination with one or more of the other securityschemes discussed in the Avoiding Common Security Problems section of this chapter. The impersonate.phpform in Listing 44-11 looks exactly like the normal login form, login.php. Instead of entering his or her own username and password, however, the autho- rized user will enter the username of the user he or she wishes to impersonate, plus a specialadministrator password. If the administrator cookie is not detected, the form will automati- cally redirect to the front page of the site.
You need excellent and relaible webhost company to host your web applications? Then pay a visit to Inexpensive Web Hosting services.

This entry was posted on Monday, February 25th, 2008 at 9:01 pm and is filed under Domain. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.