User Validation
From XOMBO Documentation
XOMBO Platform validates users with multiple layers of security. For questions related to Access Control or Group Management please reference the Access Control documentation.
No plain-text passwords are stored in databases managed by the bundled authentication system. Passwords are encrypted with a customizable hash, which you can tune to the specific requirements of your organization.
Developers can choose to implement HTTPS/SSL certificates during select data transactions, including (but not limited to) login, registration, password change, account settings, etc.
Cross-server and cross-domain transactions are completed using uniquely generated "tokens" which can only be redeemed once and expire within 60 seconds.
In addition to the HTTP session support embedded in the language, XOMBO Platform performs additional "sanity checks" to ensure hackers aren't attempting to "spoof" accounts/cookies to assume control of the user's HTTP session. Keep in mind that an HTTP session or session key is different from $Session, but the two are related.
- A user can only be logged in on one machine at any time.
- Old sessions are terminated or invalidated after...
- a specific time-out (configurable).
- the user logs in from another browser/machine.
- the browser version or identifier changes.
- the user's source IP changes (supports Squid HTTP Accelerator's "Forwarded on behalf of" HTTP header, when appropriate).
- an administrator assumes control of the account with the "become" feature.
File ./model/sessionbase.class.php ★ SVN http://svn.xombo.org/svn/platform/current/trunk/model/sessionbase.class.php API DOCS
