Re: Session

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On that note, here are a few things you might want to consider if you
> want to make sessions more secure:
>
> - use only cookies for sessions. (session.use_only_cookies = 1)  This
> prevents the session ID from *ever* being added to the URL.  URLs get
> logged -- by apache, by proxy servers, by user bookmarks :) -- and if a
> URL contains a session ID then you have that mentioned problem where a
> session can be easily revived after the user closes the browser
> (effectively session hijacking, intentional or not).

This might be the way to go for an intranet application, like Hwee is going
to do, but not for a website with a wide audience because you are reliant on
the user's client (browser) accepting cookies. One could log the user's user
agent ident string or his ip address and check those with every page request
for further security.

Anyway, very good pieces of advice. Thanks, Hans!

Regards, Torsten

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux