Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hey guys i was wondering, since im new at php, if this is very secure for checking sessions & re-creating the key so they can't be stolen. Please point out all flaws & security holes as I'm new and need to learn lol :] BTW this is just part of my script for a user system. Also it does have some weird bugs.
Lol k haha, thanks... i know its going to look bad to a pro but yeah i'm new at this and I'm teaching myself... kinda rushing through it too, which i shouldn't :S.
hashing anything more than once (sha1, md5, whatever) is not a security improvement. In fact, from an entropy point of view, it may reduce security by creating more collisions.
It looks like you're wanting to create what's called a "fingerprint" (you can google php fingerprint and you should find some things).
General session usage is generally secure for your day to day stuff. Just remember when you need a change in elevation of access to a particular area, regenerate the session (deleting the old one, if you can). If you need more than that, require that the user provide more authentication before granting their access and regenerating the session (like supplying their password again, or an alternate password, or something similar).
It's actually not a bad idea to regenerate sessions regularly, regardless of access levels.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.