Posted by dino d. on 03/12/07 21:55

Hi Everyone-

I was reading a few posts about sessions and security, and it seems
that the best way to address sessions security is to require
authentication every time the user needs to get to sensitive data (or
protect the session data with SSL). In other words, assume that the
world can see your session data stored in cookies if you're not using
SSL. So, I started looking for exceptions to this rule of thumb
(requiring authentication for sensitive data, even if the user has
already logged in and has session data in a cookie), and I found one
on ebay. If you log on to ebay, and then go to your personal
information, and then try to edit, say, your credit card information,
you are asked to log in. However, if you check the check box that
says "keep me logged in for 1 day unless I log out" (or whatever), you
no longer have to log in to get to your credit card information. So
obviously, they have secured the session data without SSL (or https).
How is this accomplished? Is there an equivalent construct in PHP?

Thanks,
Dino

• Next in forum: Re: Packaging browser based applications for Windows
• Prev in forum: Re: open_basedir is commneted out in my php.ini file, yet I still get the error messages
• Thread view: sessions and security

[Reply to this message]