Posted by Rik on 12/19/06 03:31

Vincent Delporte wrote:
> On Sun, 17 Dec 2006 23:33:23 GMT, Sanders Kaufman <bucky@kaufman.net>
> wrote:
>> When you have a session going, I know that PHP stores a session
>> token on the client, but does it keep the session *data* on the
>> client, as well?
>
> BTW, here's an article that just came out on dangerous ways to use
> cookies:
>
> How Not To Use Cookies
>
http://www.informit.com/guides/printerfriendly.asp?g=security&seqNum=232&rl=1


Yup, it breaks down to some very simple rules:
1. HTTPS. No discussion, don't assume anything if you haven't got it.

2. Userdata belongs on the server, and stays on the server. Users know
their own password, emailadres, etc, and why transfer logged in status &
rights to and from the user? THe only place where they're needed is on the
server itself...

3. Using Cookies to keep track of logged in visitors ARE handy. They should
have random, unguessable values, and absolutely nothing to with their
actual information. Their just an random ID for you, the data that they
represent you can link on the server.

4. Do not keep users logged in. Session time out and cookies, if still
present, become useless for anyone trying to use it later. Explain that to
people who don't want to remember passwords.

5. Do not use the same ID purposefully twice (allthough it might occur,
chances should be very slim). A user logs in, and gets a random id.

6. And finally THE golden rule: never, ever trust user input. If you expect
a number, make sure it's a number. If you expect only certain characters,
make sure there are no other. If you cannot escape the fact that users have
to enter an unknown text, use the escaping tools of characters at your
disposal. Be very, very weary for SQL injection.

There are others, but these are the most important imho. There are others,
like keep a log what users do from what location, but that's usually only
needed when is has gone wrong, and you have to track it back, never save a
plain password, do not display errors in you code should it break for some
reason, error-displaying is for development, etc.
--
Rik Wasmus

• Next in forum: Re: A secure user login example
• Prev in forum: how to append variable to url which already has variables
• Thread view: Re: Client-Side Session Data

[Reply to this message]