On May 29, 2013, at 11:05 PM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: >> http://sperling.com/php/authorization/log-on.php > > I realize this is example code. > > My question is, in a real application where that $_SESSION['auth'] token > would be used subsequently to gain entry to other pages, what would you > use instead of the simple TRUE/FALSE value? It seems that someone (with > far more knowledge of hacking than I have) could rather easily hack the > session value to change its value. But then again, I pretty much suck > when it comes to working out how you'd "hack" (crack) things. > > Paul Paul: While the above link may be example code, it is still sound for production. Keep in mind that everything in security comes down to a true/false condition. Do you let the person in or not! Certainly there are attacks on session ids and one must deal with that. But that's the level of security we have today. I could go through all the things you need to consider in protecting your session id (e.g., not accessing your bank accounts while having coffee at StartBucks) but that would defeat the purpose of attending one of my classes on the subject. :-) If you are very concerned about security, then jump to a https protocol for those transactions; change session ids frequently; monitor the user's local environmental changes; time the session, and do a bunch of other stuff that will make it more and more difficult for your user to use your service. But for *most things* using a session id will keep things relatively safe. Cheers, tedd _____________________ tedd.sperling@xxxxxxxxx http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
