php_novice2007 Posted September 13, 2007 Share Posted September 13, 2007 Hi all, I have to do a presentation tomorrow on the website I've built and I'm worried about getting asked a question on the security of my system. For my website I'm using PHP sessions and at the beginning of each page I've got code to check if the session is registered. I want to ask: is this method secure? I know compared to cookies it is cos cookies are stored on the browser so you can 'easily' (thought I don't know how) change cookies variables. Is it true you can't change session variables? Also I've read that there are a few "security hole" to do with sessions. But I can't find any literature that talk about this. Can anyone help me? Thanks~! Quote Link to comment Share on other sites More sharing options...
shab Posted September 13, 2007 Share Posted September 13, 2007 Sessions can suffer from abuse such as Session Fixation and Session Hijacking. Refer to the following sites for more information; - http://phpsec.org - http://phpsecurity.org - http://shiftlett.org If you are worried about storing data it self, you can encrypt it so that session data can not be read without the correct key. Look into session_set_handler() function Quote Link to comment Share on other sites More sharing options...
phat_hip_prog Posted September 13, 2007 Share Posted September 13, 2007 Session info is stored by the client browser as a session cookie also! And yes can be masqueraded! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.