From: Ben Stones on 29 Mar 2010 07:24 Hi, I'm just wondering whether there are any apparent security concerns I should be aware of when using sessions in my PHP scripts. I understand that sessions are tracked with an individual user via a session ID which is stored in a temporary location on the server, as well as a PHPSESSID cookie assigned to the end user's client, but the server my website is hosted on (and which I'll be developing my PHP script on) doesn't allow you to create a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only the server can generate a session ID for the end user when I call the session_start function? So do I still need to call session_regenerate_id for security purposes when an end user has entered the correct login credentials - would this be necessary since you cant set a session ID via the URL? Thanks, Ben.
From: Ashley Sheridan on 29 Mar 2010 07:37 On Mon, 2010-03-29 at 12:24 +0100, Ben Stones wrote: > Hi, > > I'm just wondering whether there are any apparent security concerns I should > be aware of when using sessions in my PHP scripts. I understand that > sessions are tracked with an individual user via a session ID which is > stored in a temporary location on the server, as well as a PHPSESSID cookie > assigned to the end user's client, but the server my website is hosted on > (and which I'll be developing my PHP script on) doesn't allow you to create > a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only > the server can generate a session ID for the end user when I call the > session_start function? So do I still need to call session_regenerate_id for > security purposes when an end user has entered the correct login credentials > - would this be necessary since you cant set a session ID via the URL? > > Thanks, > Ben. Just setting a URL variable won't actually create a session, you have to use the PHP session functions to create one. Using session_regenerate_id() won't do that much for security. If you are really worried, then consider a security certificate. Even a self-issued one is better than nothing, and you can generate these for free. Thanks, Ash http://www.ashleysheridan.co.uk
|
Pages: 1 Prev: PHP to server prompt Next: how to provide download of files mow in documentroot |