RopeADope Posted June 14, 2010 Share Posted June 14, 2010 So I'm still fairly new to PHP. Been working with it for several years but most of my projects are/were simple websites. I've started to dabble in OOPHP and I've got a question related to security. I know the old way(well its old to me anyway ) is to use session variables. 1st Q: Would it be a good practice to put several session variables into a "security token" object? Advantages/disadvantages? 2nd Q: If it is a good idea to created said security token, would it provide an extra measure of security to check the session variables against a cookie?(e.g. would this provide a check and balance type security measure? {check cookie, if !security_token[0][1][etc] in cookie, destroy session, set cookie null}) Any advice would be much appreciated Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 14, 2010 Share Posted June 14, 2010 1. Can't see any advantages or disadvantages.... I can't see the point really. $_SESSION is pseudo global variable anyway. 2. If you're worried about cookie tampering, just don't use cookies (for anything else but session id that is) Quote Link to comment Share on other sites More sharing options...
RopeADope Posted June 14, 2010 Author Share Posted June 14, 2010 1. Can't see any advantages or disadvantages.... I can't see the point really. $_SESSION is pseudo global variable anyway. 2. If you're worried about cookie tampering, just don't use cookies (for anything else but session id that is) So pretty much just stick with the traditional method of security?(session variables?) If there's a more secure alternative, I'd appreciate a link. I've only ever learned security via sessions and/or cookies. Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 14, 2010 Share Posted June 14, 2010 Ok. Perhaps you should explain what you mean by 'security', because I feel we're missing something here. Quote Link to comment Share on other sites More sharing options...
RopeADope Posted June 14, 2010 Author Share Posted June 14, 2010 Ok. Perhaps you should explain what you mean by 'security', because I feel we're missing something here. Ah, I apologize, perhaps I was unclear. I guess in a nutshell: Is there a better way to protect pages that are supposed to be viewable only upon login than checking for session variables? My initial question about the security token was just my brain wondering if you could take a bunch of session variables and wrap them up into a package. I think we've digressed from that however Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 14, 2010 Share Posted June 14, 2010 So what you really have in mind is 'user authorisation' and 'access control'. There are several ways to do this, but session variables play major role in most (if not all) of them. Quote Link to comment Share on other sites More sharing options...
RopeADope Posted June 14, 2010 Author Share Posted June 14, 2010 Right, user auth is my main bullet point when I say security. Do you have a link or some snippets of code that show how to execute the various methods? Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 14, 2010 Share Posted June 14, 2010 You might want to check how Zend_Auth from Zend Framework is being used for example. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.