--- [EMAIL PROTECTED] wrote: > > "In fact, I hope you do more than "session_start() and go" > > in PHP, else you are probably vulnerable to a number of > > session-based attacks." > > Man, that's all I do alot of the time? What dangers are there, > care to share any facts figures about that...?
PHP provides a convenient session mechanism. However, this is rarely (never?) a complete solution, and it is up to you to handle the rest. For example, how do you identify users within your application, and what steps do you take to complicate impersonation? PHP provides no built-in security, nor should it, because everyone's needs are different (also, security often comes at the expense of usability and/or performance, so different levels of security are desired by different developers). I recently wrote some of my thoughts on session security in an article for PHP Magazine that you can get for free from: http://www.phpmag.net/ssl/phppdf/ Also, this topic has been discussed on this list from time to time, so you can probably find some good ideas in the archives. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
