$_SESSION
Posted: Wed Jun 19, 2002 1:49 am
I'm writing authentication code.
Is there any possible way one can access/alter/erase my session data through browser (Or any kind http connection)
Is sending password and username as post data as "secure"
as sending http auth headers to browser? (And thus getting passwords and usernames.)
If I understand correctly php sessions use cookies to store session id in client side? This is possible security threat too, right?
My idea is to check passwords and usernames only once and set a flag like $_SESSION["all_ok"] = "TRUE"; Then I can check only that variable, and if that is ok I can continue to execute script. (Checking happens as first thing in a page.) Also I thought about setting a cookie that contains another id and time, if (servertime - cookie time) > 10 min stop session. So if all these three things (and possibly some more) are ok (flag, time, my own id) user is considered authenticated. Are there any obvious security threats that I'm missing?
Are there any reasons why I shouldn't store password and username to $_SESSION? If it really is secure, it is also safe to save anything there?
What are the advantages if I use Mohawk Softwares session handler?
Is there any possible way one can access/alter/erase my session data through browser (Or any kind http connection)
Is sending password and username as post data as "secure"
as sending http auth headers to browser? (And thus getting passwords and usernames.)
If I understand correctly php sessions use cookies to store session id in client side? This is possible security threat too, right?
My idea is to check passwords and usernames only once and set a flag like $_SESSION["all_ok"] = "TRUE"; Then I can check only that variable, and if that is ok I can continue to execute script. (Checking happens as first thing in a page.) Also I thought about setting a cookie that contains another id and time, if (servertime - cookie time) > 10 min stop session. So if all these three things (and possibly some more) are ok (flag, time, my own id) user is considered authenticated. Are there any obvious security threats that I'm missing?
Are there any reasons why I shouldn't store password and username to $_SESSION? If it really is secure, it is also safe to save anything there?
What are the advantages if I use Mohawk Softwares session handler?