Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Well neither. Session data is stored on the server. Passing the session id around can be the security issue because this can allow others to hijack the session, which can happen with or without without cookies.
That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.
astions wrote:That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.
Thats what I thought. Any suggestions on how to prevent stealing a session from computer to computer?
astions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
good idea. i think thats what myspace does with MyToken
Hehe, I've stolen a "MyToken" before and was automatically logged into their account after loading it into my cookies. It didn't work the last time I did it though, and a good thing, too. If any website on the entire internet should put more effort into security, it's MySpace.
astions wrote:Hmm, that probably means they are either not encrypting them, or they are converting them to lower case or upper case before encrypting them.
Yeah, but myspace passwords should be encrypted, and isn't it easier to guess passwords that are all lowercase then something like: PasSWOrD07
I changed my password with them. Now BOTH passwords works.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.