. Updated Daily. Editions SDA India   SDA Indonesia
JAX Asia 2008 - Conference for Enterprise Java, SOA, Spring, Web Services, Ajax, Agile and more
BUSINESS ENTERPRISE SOLUTIONS ARCHITECTURE INFORMATION SECURITY WIRELESS & MOBILITY DATA & STORAGE DEVELOPMENT HARDWARE













News

Monday, 2 April 2007

Smooth Implementation of PHP Sessions
 

 

Oscar Merida, in a post over his blog shows you in four steps to avoid frustration with PHP sessions. He explains that PHP’s support for sessions by adding ‘state’ to your web application makes it simple. But the illusion of state is maintained by storing a Session ID via a user's cookies, he recalls. He gives the following four tips to help you avoid wasting your time and securing your site:

  • Don’t use underscore in host names: he says unless you've memorized the RFC for allowed characters in a host name, you may not be aware that underscores are not allowed in host names. He initiates that some browsers, like Firefox, don't enforce this prohibition, but Internet Explorer enforces it and will refuse to set a cookie belonging to a host name with an underscore in it. He says, IE will instead cause PHP to generate a new session id for the visitor on each page load, since; the user never accepts a session id.
  • Commit your session before redirects: you should call session_write_close (or its alias session_commit) to write session data before issuing an HTTP Location redirects. This also ‘frees’ the user's session so that they can do other activities in your web application, he says.
  • Prevent session fixation: session fixation, he says it allows an attacker to get a valid session id without predicting it or reading it from a user's cookies or $_GET array. Instead, a victim ends up using a session id generated by the attacker not your web server, he explains. You can prevent this by calling session_regenerate_id(), particularly after storing sensitive information such as a login name or flag. This should render the attacker's defined session id useless, he says.
  • Don’t expose session_id’s: Cookies are, relatively, a more secure place to store your session ids compared to embedding them as a parameter in the query string. There are two ini setting to control this behavior, and which one is appropriate is hard to tell. He tells you to set them both. You should set session.use_trans_sid to 0 (off) and if you're using 4.3.0 or higher you can set session. use_only_cookies to ‘1’.


 

Read the Post

 
 
print save email comment

print

save

email

comment
 
 

Search SDA Asia

Free eNewsletter
SDA Asia Magazine Free Download
 
 
 
Copyright @ 2008 SDA Asia Magazine - All Right Reserved Privacy Policy | Terms of Use