Reply to Re: session security

Your name:

Reply:


Posted by Gordon Burditt on 11/12/07 11:28

>I see your point, I think I will just re-generate the session ID after
>every user request so that the last session ID is no longer valid.

Are you *SURE* that re-generating the session ID cancels the validity
of the old one? If not, you're just generating piles more correct
answers. The delete_old_session parameter to session_regenerate_id()
seems to have been added in version 5.1.0.

>Hopefully that will provide enough security for the non-SSL'd pages.
>
>My last question is this: I read online that you should never pass
>session data between http and https servers.

>I have successfully
>carried sessions between the two without passing any information in the
>URL... since I know this can be done, is there a reason not to do so?
>Does it expose any other security risks I am not aware of?

If it's exposed in http it's exposed, period. And providing a lot
of "known plaintext" for a cracking attempt at the SSL ciphers isn't
a good idea even though it's thought they aren't vulnerable to such
an attack.


Gordon L. Burditt

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация