You are here: Re: session security « PHP Programming Language « IT news, forums, messages
Re: session security

Posted by Colin McKinnon on 11/16/13 11:28

Marcus wrote:

> Hello,
>
> Currently all of my php pages use SSL, not just my initial login.
> Originally I thought this would be more secure, but after thinking about
> things and looking at sites like Amazon and Gmail, they all SSL the
> login scripts and then use regular http for everything else, which I'm
> sure speeds things up without the encrypt/decrypt process.
>

Keeping things constantly under SSL is a good idea.

You should also discard the current session and create a new one (perhaps
copying data from the old session) when presented with login information.
To avoid session fixation.

A few caveats is to make sure that you maintain the patches on your SSL
config, and preferably run the SSL remote from the webserver (even in a
chroot stunnel). Its also handy to run an assymetric encryption program
with only one of the key pair on the server to log information securely.

>
> Lastly, I was also wondering if it matters that I use mysql_connect() on
> every page in the event I do not SSL every page... please correct me if
> I am wrong, but since it resides on the server, I don't *think* the
> database password, which is stored in the php file in plain text, should
> ever actually be transported across the network. I have not been able
> to confirm this however.
>

If it is connecting locally, the password will not be visible from the
network (this connection is quite seperate from the connection between user
and webserver - so it makes no difference if that is encapsulated or not).

HTH

C.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация