Session Security Tips and Help Needed

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
khaki_monster
Forum Commoner
Posts: 73
Joined: Tue Oct 11, 2005 12:36 am
Location: Philippines
Contact:

Session Security Tips and Help Needed

Post by khaki_monster »

how do i keep my sessions safe?

cheerz!
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Is there anything in particular you need answering?

That is quite a vague question.. some of the generics are:

Set PHP to use cookie only for the session id (i.e. so it doesn't use GET variables in the URI)

Use databases to store session info. Not a 'must' but on shared hosting sometimes session data is stored in shared directories.. still doesn't generate a huge security risk, infact can be a negligible difference, but decreases the availability of the data to others.

regenerate a session ID whenever the user logs in (i.e. if they logout, then re-enter their username/pass) - giving them a fresh, new 'key' as it were to the session data.

Anything else and you will have to be more specific to what you require :)
User avatar
khaki_monster
Forum Commoner
Posts: 73
Joined: Tue Oct 11, 2005 12:36 am
Location: Philippines
Contact:

Post by khaki_monster »

this PHP matter is totally new to me... so("and sorry") im not really sure how to throw a question.
but im glad most of my question are answerd :) though my english grammar suckz.

cheerz!
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

No worries, if you stumble across any particular problems, post ont these forums with the relevant sections of code and myself and/or others will be happy to assist (in most cases :P)
Post Reply