session security opinion requested

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rjwebgraphix
Forum Newbie
Posts: 11
Joined: Fri Mar 11, 2005 8:10 am

session security opinion requested

Post by rjwebgraphix »

I have a contact form that when the form is submitted, if it errors it passes back to the form with an &error=field on the URL. The error is looked at and displays an error message based on what is wrong.

I'm using a $_session to pass the info back to the form so it's still filled out the way they left it.

If they successfully submit the form, the thank you page will destroy the session data.

If they navigate away from the unfinished form and come back to it through link, the session is destroyed.

The only minor issue I see is if they navigate away from the errored form and don't come back to it, the session isn't destroyed. What can happen if the session isn't destroyed?

Is there a major concern with this?
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

No, Take a look at your phpinfo() you will see a session timeout setting. You can also set the session timeout manually.
Post Reply