What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » PHP security concerns

PHP security concerns
Author: Message:
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
O.P. Huh?  PHP security concerns
Well, I'm develloping a class in PHP to handle sessions on a framework level (so I can use it in several applications), but is currently focused on Chameleon.*

Well, I tried to avoid the use of session files, since this may be a fast solution but aren't always reliable (memory quota, void session handling, session hijacking).
What I do is generate a session ID with session_start, fill the session file with a boolean (to avoid the void session automatic destruction, but keeping the file as sleek as possible) and store all data to the database. With several features I can allow custom session timeouts, session suspension (to recover your session in the next login), etc. The problem is that authentication of session owner is somewhat tricky.

To start a session, people are supposed to log in. Once they do the session is saved to the database, ie it becomes a persistent session. Using the session ID I link the user to that single stored session. But the SIDs can easily be hijacked, either by URL appending or by cookie faking.

This brings me to the question about more relyable checks to verify that the user who is identifying itself with a certain SID, really is the user the SID was generated for. But... How to handle proxy IPs? how to get a unique value from a client?

I know there is no perfect way to protect users from sniffing and hacking into their accounts, but what would be the most reliable methods to make it hard to hackers and keep it simple in the code? (this means do not require me to install  and use SSL libs, because it would really be overkill in certain circumstances, imo).

Would someone know how to make it the best way possible? :)
Actually post your thoughts, even if they're not proved to be bulletproof ;)

__
* Some more free advertising :gfdrin:

This post was edited on 05-21-2005 at 03:33 PM by KeyStorm.
05-21-2005 03:33 PM
Profile E-Mail PM Web Find Quote Report
« Next Oldest Return to Top Next Newest »

Messages In This Thread
PHP security concerns - by KeyStorm on 05-21-2005 at 03:33 PM
RE: PHP security concerns - by -dt- on 05-21-2005 at 04:36 PM
RE: PHP security concerns - by segosa on 05-21-2005 at 08:09 PM


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On