[nycphp-talk] Session Thoughts
Chris Shiflett
shiflett at php.net
Fri Oct 31 13:41:59 EST 2003
--- Mark Armendariz <nyphp at enobrev.com> wrote:
> I defintiely see your point... Do you have a solution for a secure
> auto-login?
Not really, no. I am of the opinion that the idea of "atuto-login" is
what sessions are really all about. The further into the future that
the session expiration is set (whether you let PHP expire sessions or
write your own logic), the less secure the session becomes. I prefer
that the user be slightly inconvenienced by having to provide a
password after a certain amount of time has passed.
Remembering the username is convenient for users and doesn't lessen
security too much, so that seems fine.
There are other things you can do to make session
hijacking/impersonation more difficult in any case, and some of these
methods are worth applying. For example, if the user with an ID of
12345 has been accessing your site with a user agent of "Mozilla 5.0
(Badass OS)", does it make sense to automatically resume the session
when the user with an ID of 12345 accesses your site with no
User-Agent header or with "Mozilla 4.0 (compatible; Lame OS)" or
something else? I think it's at least a situation that's worth
prompting the user to verify his/her password.
You can do like Yahoo and provide a link that explains why the user
must enter his/her password again, in case you're worried about your
users complaining about the hassle.
NYPHP will be offering a course on this topic as part of RAMP, and I
hope a lot of people are able to attend.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
More information about the talk
mailing list