Page 1 of 1

security concerns (on fopen script)

Posted: Fri Sep 03, 2004 2:48 am
by jakobdoppler
Hi

I read a lot about sessions and how to make a secure area for sensitive data use. But when it comes down to a simple question I can't explain it to myself.

I have two pages. One displays a few documentlinks which directs to a second page , that handles the fopen filestream to the client.So what is the best way to transmit the information about this document (path, filename and username) to the second page (where I have to check if info is valid).

Do I save this info in the session and recall it in the second script page or do I transmit it with GET parameters ? or is there even a better, more secure way ? I thought about maybe encrypting parameters. Some function similar to the mySql function in php.

Code: Select all

ENCODE(str,pass_str) 
DECODE(crypt_str,pass_str)
But I haven't found one.
-----------------------
In general I want to take following things into consideration
- SSL
- WWW Auth
- Session Handling
Do I miss something important for more security ?

Thx for the great support _yak

Posted: Fri Sep 03, 2004 4:18 am
by feyd
I'd just stick the data into the session data and call it good. Since the session data is stored on the server, it's pretty secure. The session data could be stored in the database, or just use the file system.

Posted: Fri Sep 03, 2004 4:33 am
by jakobdoppler
What exactly do you mean by storing session data in a database. Do you mean the whole session information, or only recheck the session id ? What does this affect ?

Thank you very much for your support and good comment ! :)
_yak

Posted: Fri Sep 03, 2004 4:42 am
by feyd
all the session information.

Posted: Fri Sep 03, 2004 5:20 am
by jakobdoppler
mmh. I don't understand ? What security feature offers session in a dB oppisite to normal session? Is it serialized data ?

_yak

Posted: Fri Sep 03, 2004 5:35 am
by feyd
both are serialized.. normal ones are file based, and not encrypted. database ones can be any way you want since you create it.

Posted: Fri Sep 03, 2004 8:30 am
by jakobdoppler
that means i could use it in this way ?

- I store whole $_Session in a DB with session_id() as index
- clear $_Session
- and recall all info on another page with DB and session_id()

Am I right or totally out of mind ? :-)

Thx again, Jakob

Posted: Fri Sep 03, 2004 11:36 am
by feyd