Tips: PHP security
View Single Post
09-06-2007, 04:46 PM
Join Date: Sep 2007
Thanks for posting Village Idiot, that's a really nice introduction to PHP security. I hope you don't mind, but here is my contribution:
Using sessions can be an alternative to using cookies. You can store common data, such as username, userid, email, etc. in a session and then store the session id along with the cookie. Then when the user logs in, use the cookie session id to retrieve the session data.
There are some precautions to using this method, for example a user could guess an administrators session id, thus introducing a new concept, session hijacking.
To combat this the developer could store a unique key along with the session id. This unique key would be stored in both the users cookie and in the session. Then when a user requests the session, compare the unique key in the session to the one stored in their cookie, if they don't match, don't allow them access to the session and destroy their cookie.
You can improve the security further by regenerating session ids on every request, but I'll leave that for another day :)
View Public Profile
Send a private message to Karl
Find More Posts by Karl