Posted by Umberto Salsi on 03/12/07 23:46

"dino d." <dinodorroco@yahoo.com> wrote:

> I was reading a few posts about sessions and security, and it seems
> that the best way to address sessions security is to require
> authentication every time the user needs to get to sensitive data (or
> protect the session data with SSL). In other words, assume that the
> world can see your session data stored in cookies if you're not using
> SSL. So, I started looking for exceptions to this rule of thumb
> (requiring authentication for sensitive data, even if the user has
> already logged in and has session data in a cookie), and I found one
> on ebay. If you log on to ebay, and then go to your personal
> information, and then try to edit, say, your credit card information,
> you are asked to log in. However, if you check the check box that
> says "keep me logged in for 1 day unless I log out" (or whatever), you
> no longer have to log in to get to your credit card information. So
> obviously, they have secured the session data without SSL (or https).
> How is this accomplished? Is there an equivalent construct in PHP?

This is not a feature of a specific language, but a property of
the HTTP protocol. Every cookie has several parameters you can
set, read carefully the description of the function setcookie()
www.php.net/manual/en/function.setcookie.php

Between these parameters there are expire, path, domain and secure, so
that the cookies can be sent from the client to the server only on SLL,
or only on a well defined domain/path where the secure pages are located.

About the expire time: zero means "expire when the browser closes", 24*60*60
means "expire after a day". The check box you found just tell to the server
which value it will use.

Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

[Back to original message]