NYCPHP Meetup

NYPHP.org

[nycphp-talk] Storing User Controlled Configs

Chris Shiflett shiflett at php.net
Tue Sep 7 14:27:02 EDT 2004


--- Mark Armendariz <nyphp at enobrev.com> wrote:
> Oops, I believe was referring more to cookies than sessions.

I understand now. :-) Yes, sessions can be hijacked if you rely on
session_start() alone, but the session variables themselves are pretty
sure, since they're kept on the server and not sent back and forth.

What makes session security so challenging is that something does have to
be sent to the server for every request that identifies the user.

> Nonetheless, a google for "hijack session php" (sans quotes) has
> a lot of good information as to how to do some dirty, and avoid
> such things with sessions (7th from the top is 'The Truth About
> Sessions', by Chris Shiflett, as a matter of fact).

:-)

If any of you will be at php|works, I'll be talking about session security
there. I'm also trying to figure out Keynote, so I may have a fancy
presentation to go along with it. :-)

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
     Coming Fall 2004
HTTP Developer's Handbook - Sams
     http://httphandbook.org/
PHP Community Site
     http://phpcommunity.org/



More information about the talk mailing list