Posted by Willem Bogaerts on 06/11/07 15:18

>> - use very short session life time
>> - force user to login again before doing something important

And change session whenever you change user rights (i.e., after a
successful login). PHP's function session_regenerate_id() is suitable
for this.

Search the net for "session hijacking" and "session fixation". There is
a lot of info available...

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/

• Next in forum: Re: Image upload php script.
• Prev in forum: Re: Is PHP session safe?
• Thread view: Re: Is PHP session safe?

[Reply to this message]