Session Confusion.

--0-685546887-1248283184=:65359
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dear Forums,

Kindly advice me professionally because, am getting more confused on what t=
o do about my application that needed to be online very soon.

The fear is about Session and Authentication.

Here are my questions.
1.   Must a Page Authentication be done by Session or Cookie. If not wh=
at are the other options.
2.   How secured is Session without encoding.
3.   Must you encode Sessions at all time and if not what type of Sessi=
on.
4.   Is it dangerous to pass one Session on several Page.
5.   What about locking a Session to an IP ......(tips needed)
5.   Session Security tips please.

Thank You All.

Williams.
=0A
--0-685546887-1248283184=:65359--

Re: Session Confusion.

On Wed, Jul 22, 2009 at 1:19 PM, Dare Williams wrote=
:
> Dear Forums,
>
> Kindly advice me professionally because, am getting more confused on what=
to do about my application that needed to be online very soon.
>
> The fear is about Session and Authentication.
>
> Here are my questions.
> 1.   Must a Page Authentication be done by Session or Cookie. If not =
what are the other options.

hidden id field in the html form


> 2.   How secured is Session without encoding.

encoding data? can be done, but as long as the session is stored local
to the site and not in a shared folder on a shared hosting machine,
its pretty safe
Another option is to store the session in the database


> 3.   Must you encode Sessions at all time and if not what type of Ses=
sion.

all depends on the application and your own level of paranoia

> 4.   Is it dangerous to pass one Session on several Page.

Nope, its the essence of sessions. How else to get the session data
shared between pages?

> 5.   What about locking a Session to an IP ......(tips needed)

Don't. Some ISPs host a pool of addresses and the user's IP may switch
during a single session.

> 5.   Session Security tips please.

This was just discussed in another thread here on sessions today.
Search the archives.



>
> Thank You All.
>
> Williams.
>
>
>
>



--=20

Bastien

Cat, the other other white meat

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Session Confusion.

--0016364ef4d61dffdf046f506f03
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Dear Dare,
I would recommend you to get the free copy of *chapter 10: Security from
Zend Certification Study guide* by Ben Ramsey & Davey Shafik at
www.zceguide.com


shorter tips:
1. You can apply session_regenerate_id() to prevent *session riding*
or *session
fixation*
2. You can keep $_SESSION['user_agent']=$_SERVER['HTTP_USER_AGENT'] and
check for logged in user to prevent *session hijacking*
3. Cookie must be encrypted.
4. Filter All inputs and validate them
5. Escape all output
6. while filtering inputs use whitelist & blacklist method

Regards

Lenin

http://twitter.com/nine_L

--0016364ef4d61dffdf046f506f03--

RE: Session Confusion.

--_43871f92-d7dc-4082-aef2-7cabeb933269_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Hello

For the authentication you can do a form=2C it will pass the login
informations to some class who do the sql validation and put in session
the informations of user=2C but not the password=2C i prefer put in session
because when he close the browser the session will down



for 2 ,

On the first point=2C session variables are not something people can get=20
to from the client side unless you send them to them. What you see on=20
the client side is a session identifier that allows the server to=20
retrieve the actual session values.


for 3

You dont need encode all the session for the security=2C if you want more s=
ecurity for some variables=2C encode just these



for 4

One of the intentions of the session is store informations for the easy apl=
ication access



for 5

I think its not a good idea=2C the ip can change in the middle of the aplic=
ation

Yuri Yarlei.
Programmer PHP=2C CSS=2C Java=2C PostregreSQL=3B
Today PHP=2C tomorrow Java=2C after the world.
Kyou wa PHP=2C ashita wa Java=2C sono ato sekai desu.



> Date: Wed=2C 22 Jul 2009 10:19:44 -0700
> From: darrenwilly@yahoo.com
> To: php-general@lists.php.net
> Subject: [PHP] Session Confusion.
>=20
> Dear Forums=2C
>=20
> Kindly advice me professionally because=2C am getting more confused on wh=
at to do about my application that needed to be online very soon.
>=20
> The fear is about Session and Authentication.
>=20
> Here are my questions.
> 1. Must a Page Authentication be done by Session or Cookie. If not what=
are the other options.
> 2. How secured is Session without encoding.
> 3. Must you encode Sessions at all time and if not what type of Session=
..
> 4. Is it dangerous to pass one Session on several Page.
> 5. What about locking a Session to an IP ......(tips needed)
> 5. Session Security tips please.
>=20
> Thank You All.
>=20
> Williams.
>=20
>=20
>=20
> =20

____________________________________________________________ _____
Descubra todas as novidades do novo Internet Explorer 8
http://brasil.microsoft.com.br/IE8/mergulhe/?utm_source=3DMS N%3BHotmail&utm=
_medium=3DTagline&utm_campaign=3DIE8=

--_43871f92-d7dc-4082-aef2-7cabeb933269_--