Hi,
i am currently working with sessions and how to secure them as much as
possible.
In an older script of mine, i used session_is_registered() to take care
of this, but according to the manual: "If you are using $_SESSION (or
$HTTP_SESSION_VARS), do not use session_register(), ..." - i can't use
this anymore.
Well, so i wondered: how do you or would you make sure that s.o. won't
be able to hijack the session?
Also any recommended URLs about this matter are more than welcome as well :)
I am currently only checking the IP, but i read about issues with AOL
users about this, since it can happen that their IP changes while
browsing the site.
S.o. mentioned checking the referer and so making sure, the script comes
from the own server, but when using redirects or stuff like that (or the
browser doesn't support this properly - as read in the php manual), then
this isn't 100% working as well.
So, start nuking me with your comments ;)
Regards,
Duncan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
- Re: [PHP] Sessions & Security Duncan
- Re: [PHP] Sessions & Security Justin French
- [PHP] Sessions & Security Clarkson, Nick
- [PHP] PHP and Oracle Christophe Valentin
- Re: [PHP] PHP and Oracle Larry E. Ullman
- Re: [PHP] Sessions & Security Chris Shiflett
- RE: [PHP] Sessions & Security Clarkson, Nick
