Posted by Tom on 03/13/07 00:57

On Mar 12, 7:46 pm, Umberto Salsi <s...@icosaedro.italia> wrote:
> "dino d." <dinodorr...@yahoo.com> wrote:
> > I was reading a few posts about sessions and security, and it seems
> > that the best way to address sessions security is to require
> > authentication every time the user needs to get to sensitive data (or
> > protect the session data with SSL). In other words, assume that the
> > world can see your session data stored in cookies if you're not using
> > SSL. So, I started looking for exceptions to this rule of thumb
> > (requiring authentication for sensitive data, even if the user has
> > already logged in and has session data in a cookie), and I found one
> > on ebay. If you log on to ebay, and then go to your personal
> > information, and then try to edit, say, your credit card information,
> > you are asked to log in. However, if you check the check box that
> > says "keep me logged in for 1 day unless I log out" (or whatever), you
> > no longer have to log in to get to your credit card information. So
> > obviously, they have secured the session data without SSL (or https).
> > How is this accomplished? Is there an equivalent construct in PHP?
>
> This is not a feature of a specific language, but a property of
> the HTTP protocol. Every cookie has several parameters you can
> set, read carefully the description of the function setcookie()www.php.net/manual/en/function.setcookie.php
>
> Between these parameters there are expire, path, domain and secure, so
> that the cookies can be sent from the client to the server only on SLL,
> or only on a well defined domain/path where the secure pages are located.
>
> About the expire time: zero means "expire when the browser closes", 24*60*60
> means "expire after a day". The check box you found just tell to the server
> which value it will use.
>
> Regards,
> ___
> /_|_\ Umberto Salsi
> \/_\/ www.icosaedro.it

The eBay example you gave isn't necessarily a security flaw, because
we have no idea what other methods they use to authenticate on top of
the data stored in the cookie(s). They might be tracking your IP
address or even the port number on your machine that's accessing
eBay's server -- data which you don't store remotely. If these don't
match they might ask you to re-authenticate.

• Next in forum: Re: how to securely store a record index when editing a mysql record
• Prev in forum: Re: open_basedir is commneted out in my php.ini file, yet I still get the error messages
• Thread view: Re: sessions and security

[Reply to this message]