security concerns (on fopen script)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

security concerns (on fopen script)

Post by jakobdoppler »

Hi

I read a lot about sessions and how to make a secure area for sensitive data use. But when it comes down to a simple question I can't explain it to myself.

I have two pages. One displays a few documentlinks which directs to a second page , that handles the fopen filestream to the client.So what is the best way to transmit the information about this document (path, filename and username) to the second page (where I have to check if info is valid).

Do I save this info in the session and recall it in the second script page or do I transmit it with GET parameters ? or is there even a better, more secure way ? I thought about maybe encrypting parameters. Some function similar to the mySql function in php.

Code: Select all

ENCODE(str,pass_str) 
DECODE(crypt_str,pass_str)
But I haven't found one.
-----------------------
In general I want to take following things into consideration
- SSL
- WWW Auth
- Session Handling
Do I miss something important for more security ?

Thx for the great support _yak
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd just stick the data into the session data and call it good. Since the session data is stored on the server, it's pretty secure. The session data could be stored in the database, or just use the file system.
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

What exactly do you mean by storing session data in a database. Do you mean the whole session information, or only recheck the session id ? What does this affect ?

Thank you very much for your support and good comment ! :)
_yak
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

all the session information.
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

mmh. I don't understand ? What security feature offers session in a dB oppisite to normal session? Is it serialized data ?

_yak
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

both are serialized.. normal ones are file based, and not encrypted. database ones can be any way you want since you create it.
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

that means i could use it in this way ?

- I store whole $_Session in a DB with session_id() as index
- clear $_Session
- and recall all info on another page with DB and session_id()

Am I right or totally out of mind ? :-)

Thx again, Jakob
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Post Reply