On 6/19/05, Martin Samesch <martin.samesch@xxxxxxxxxxxxxxxxxxxx> wrote:
> --- snip ---
> Try this code snippet, from a book by a security expert who says this
> is more secure to place on every page:
>
> session_start();
> $_SESSION['name'] = "YourSession";
>
> if (!isset($_SESSION['initiated']))
> {
> session_regenerate_id();
> $_SESSION['initiated'] = true;
> }
> --- snip ---
Many thanks Martin!
Starting with you hint, I found this site, I guess it's the book you
said: http://phpsec.org/projects/guide/4.html
In simplistic words, it says that a session_id could be hijacked by
some mechanism and rely only on that isn't a secure choice. So, if you
need an extra bit of security it's recommended to implement a more
slighlty sofisticated script like the one you sent above.
Anyway, the really simple line I sent is still correct, but not as
secure as the second option.
But now... I'll add those lines to many projects I have already running :)
--
Juan Pablo Gil R.
Director OnFocus - de la Idea al Bit
http://www.onfocus.cl/
PHP Data object relational mapping generator - http://www.meta-language.net/
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php-objects/
<*> To unsubscribe from this group, send an email to:
php-objects-unsubscribe@xxxxxxxxxxxxxxx
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
