secure sessions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
php4user2007
Forum Newbie
Posts: 12
Joined: Mon Apr 02, 2007 4:12 am

secure sessions

Post by php4user2007 »

Hi,

I created a few log-in protected pages (maybe 10) that contain mostly customer information stored in a database as well as a couple of online payment processes (I did a simple integration of my front and back end with an online merchant solution provider).

I'm considering a few security enhancements but am not fully sure how to implement them properly or whether they are sensible:

1.) FULL SSL connection: If I always require a secure connection starting from the login screen (I'm using sessions), then everytime the user opens another page he or she gets an annoying messager about secured and unsecured items. (For the user his message sounds worrysome and is annoying because it pops up on every new page visisted). Is there a way to eliminate this message or at least limit it to occuring only once at the beginning. Otherwise the 2.) option may be necessary.

2.) PARTIAL SSL connection: Would it make sense to only run the login page and/or the online payment page over a ssl connection? I mean the session continues on throughout the other pages as well so I would think it is advisable to always use a secure connection even if there is no sensitive data displayed. Any thoughts?

3.) Session security setting: I wrote the following code above my session_start() line and I'm wondering what kind of degree of security I can expect from that. I suppose this setting is requires a ssl connection so would be redundant if the security measure mentioned above is implemented. Does it then add any value to include the line of code below on every page?

session_set_cookie_params (1800, ' ' , ' ' , true);



thanks, and sorry for so many questions...


p
php4user2007
Forum Newbie
Posts: 12
Joined: Mon Apr 02, 2007 4:12 am

fixed warning message

Post by php4user2007 »

ok, I sort of fixed 1.) and 2.) with advice received on another blog.

still wondering, however, how you make sure that the user cannot change the https to http after correctly logging into the application. Currently I can do that and I assume this poses a potential security breach no?
Post Reply