Distant_storm Posted November 28, 2007 Share Posted November 28, 2007 Ok got a few questions here. a) With sessions is it worth the code hastle to hash the session file before any writing or reading to be done. to check that the data is valid ? b) Does anyone know any basic introductions to SSL as I want to use it as its most effective against session hijacking and other attacks. Quote Link to comment Share on other sites More sharing options...
rarebit Posted November 28, 2007 Share Posted November 28, 2007 Do you run your own server or do you use a host, either way, what system is operating (linux / windows) and what server is being used? Quote Link to comment Share on other sites More sharing options...
PHP_PhREEEk Posted November 29, 2007 Share Posted November 29, 2007 SSL is used to encrypt between host and client. Session data is never shared between host and client, it remains with the host. SSL will do nothing to strengthen sessions. PhREEEk Quote Link to comment Share on other sites More sharing options...
Distant_storm Posted November 29, 2007 Author Share Posted November 29, 2007 Im using a Host and its linux based. I believed that SSL would protect sessions as it stops network eavesdropping for potential threats looking for PHPSESSID. ?? Or im i totaaly of the chart lol. This is just incase someone put their network card into promiscuous mode which means they recieve all packets of data regardless of if their addressed to them ? What is the best session protection ? apart from checking the session file using sh1 to check if it has changed at all and the path of session and timeout of the session ? I also read alot about reverse proxy and proxy usage to fixate or hijack sessions ? how do protect against this ? Thanks Quote Link to comment Share on other sites More sharing options...
PHP_PhREEEk Posted November 29, 2007 Share Posted November 29, 2007 A couple of times a year I find it necessary to repeat the following: The VAST majority of hacking/hijacking attempts are done by 'script kiddies' who are bored, and who only find success with the absolutely most dismal of security setups within a script or on a server (and you'd maybe be surprised, or not, at how many scripts/servers are technically 'wide open' and vulnerable). That being said, there is, conversely, a tiny minority of 'professional' hackers who would try such sophisticated things as packet sniffing/hijacking etc. These pros are NOT looking to place a banner on your website. They are looking for 'paydirt', they want $$$, which means they are looking for credit card or other personal information that can be used directly or sold to 3rd party evil-doers. Bottomline is, unless you are running a banking site or a busy eStore, there is absolutely no need to implement all of this paranoia. Properly closing software holes and keeping server software updated will keep out 99% of the idiots who download scripts and try to deface your website with their graffiti. The other 1% most likely isn't interested in the least in your website. So relax. After being a server administrator for over 8 years now, I can honestly tell you that all of this 'cloak and dagger' crap is... well... crap. PhREEEk Quote Link to comment Share on other sites More sharing options...
Distant_storm Posted November 29, 2007 Author Share Posted November 29, 2007 Thanks for that advice, Ive always been server security conscious. I didn't figure that anyone would go to the that much trouble to get someones name. But these days theres are alot of php wiz kids out there. Again thanks for the advice saves me some code. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.