Jump to content


Photo

Session security


  • Please log in to reply
1 reply to this topic

#1 schoi

schoi
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 22 September 2006 - 07:25 PM

session.use_only_cookies  boolean

    session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.

does this mean when ever we use sessions we should have this enabled. Even if u don't pass your session id alon with url? I am using php5 is still a problem?

#2 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 22 September 2006 - 07:56 PM

http://es2.php.net/session

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.


Tell me the problem, I will try tell you the solution




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users