[nycphp-talk] preventing randomized session variable from changing when page is refreshed
Edward JS Prevost II
consult at covenantedesign.com
Thu Aug 21 10:48:11 EDT 2008
Ajai Khattri wrote:
>
> Sure, but most people reading this are shaking their heads because
the PHP
> session functions handle sessions IDs for you, no need to generate this
> yourself. The session ID should be stored in a cookie and the cookie
needs
> to be checked for in every page. PHP's session functions do that for you.
>
> http://us3.php.net/manual/en/book.session.php
And most of that head shaking is do to security concerns... One of the
best things you can do for yourself is buff-up on some basic security
concepts when dealing with sessions and persistence.
http://us3.php.net/session
Just cause I appreciate Harry's thoughts...
http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/
http://phpsec.org/projects/guide/4.html
Chris, has much changed in your thinking here?
http://talks.php.net/show/phpworks2004-php-session-security
and segfault...
http://segfaultlabs.com/files/pdf/php-session-security.pdf
-Ed
More information about the talk
mailing list