Page 1 of 1

Session Encrypting/Hashing

Posted: Tue Jul 01, 2003 2:00 pm
by php_wiz_kid
How do I encrypt or hash sessions so that users can't modify the session temporary file?

Posted: Tue Jul 01, 2003 2:06 pm
by nielsene
Are you worried about local users modifying the session files, or web users modifying the session id?

If the former, you'll have to write you're own custom session handler.

Posted: Tue Jul 01, 2003 2:13 pm
by php_wiz_kid
I'm glad you're helping nielsene, I always read your security posts and you do a great job, I've implemented more of your stuff than anybody else. Keep up the good work.

Are the local users people who have access to the server, and web users are site visitors right? I'm worried about the site visitors modifying the temporary file. I have it hashed, but that would probably be to easy to figure out. Should I worry about people who GET access to the server as in hackers, or does that not really happen? See, I'm new to PHP, and I'm trying my best to make my first site as secure as I possibly can.

Posted: Tue Jul 01, 2003 2:15 pm
by nielsene
Site visitors should have no way to modify the temporary files stored on the server, unless you are doing something very wierd.

I'm working on a series of articles covering other security aspects. I hope to have the first two-three out in the next week. If you can wait that long for a more complete answer, it would probably be better than anything I'll throw together here right now.

Posted: Tue Jul 01, 2003 2:20 pm
by php_wiz_kid
No, I mean the temproray file that get stored on the users local machine when you start a session. Or is that what you mean and I'm doing something weird?

Posted: Tue Jul 01, 2003 2:27 pm
by nielsene
Ohh, that's the cookie OK. I understand now.

Have you read this thread, especially the linked version at the end? That should protect the client-side session value.

The tutorial I'm working on has a more elegant solution, but the old one still works and is secure

Posted: Tue Jul 01, 2003 2:32 pm
by php_wiz_kid
Thanks again nielsene, if this works then you've done it again. Message me when you get your security thing up. I would look forward to reading that.

security tutorial

Posted: Tue Jul 01, 2003 6:09 pm
by phpScott
Are going to be posting the tutorial on the phpdn some where for all of us who are keenly interested?

phpScott

Posted: Tue Jul 01, 2003 6:44 pm
by nielsene
Yes, hopefully the first installments will be up in about a week.