Denis Grenier
|
Posted: 09/08/2007, 3:44 AM |
|
Introduction :
I tried to solve this challenge myself but hat to give-up. I am now willing
to pay, (or to be forever in debt) to solve it.
The story:
I have create a web site for my company services: www.nuuco.com . I chose
two main technologies to achieve the purpose of the website:
Typo3: a well known public domain CMS that support the redaction, edition
and Multilanguage needed.
CodeCharge Studio: a solid program generator to handle all database
transactions.
As you might guess, security (logon and related) are not handled the same
way by both applications and I am now at the point where logging twice is
not acceptable. I need a solution
Security in Typo3: When a user logon, a session_id is created
(hexadecimal - 10 positions). This session_id can be retrieves as needed in
a session variable (Array).
This session_id is the primary key of a record in a table: fe_sessions.
When reading fe_sessions we find Ses_Userid, Ses_IpLock.
Another table: fe_users hold the username and usergroup(Array).
Security in CodeCharge Studio:
In CodeCharge studio, the program generate a logon.php program. Before
generating the program, you need to stipulate the table for users along with
fields for UserID, UserName, Password, UserGroup. In the login process,
CodeCharge studio will create three sessions variables for UserID, Username
and UserGroup. I don't know if there is an IP verification being made.
In order to solve the challenge there is two potential solutions:
The quickie:
Create a mod on the typo3 newloginbox extension in order to create the
needed session variables by CodeCharge Studio application. If there is an
additional check for the IP address, it would need to be resolved.
The more complex one:
Create a mod in Codecharge Studio to get the Typo3 session_id and from there
read the database to retrieve Userid, Username and Usergroup. This could
improve security of my application. Again IP verification, if in CodeCharge
Studio would need to be taken care of.
Again, I am willing to pay to solve this challenge. Should you believe you
can be up this challenge, please contact me.
You can download typo3 from www.typo3.com. CodeCharge Studio provide a
fully functional 30 days evaluation of their software at www.yessoftware.com
Thanks
Denis Grenier
Président
189, boul. Hymus
Suite 300
Montréal, Québec
H9R 1E9
@: mailto:denis.grenier@nuuco.com
w: http://www.nuuco.com
Tel: 514-946-4767
Fax: 514-694-1740
My Linkedin Profile
|
|
|
|