NYCPHP Meetup

NYPHP.org

[nycphp-talk] preventing randomized session variable from changing when page is refreshed

Edward JS Prevost II consult at covenantedesign.com
Thu Aug 21 10:48:11 EDT 2008


Ajai Khattri wrote:
 >
 > Sure, but most people reading this are shaking their heads because 
the PHP
 > session functions handle sessions IDs for you, no need to generate this
 > yourself. The session ID should be stored in a cookie and the cookie 
needs
 > to be checked for in every page. PHP's session functions do that for you.
 >
 > http://us3.php.net/manual/en/book.session.php

And most of that head shaking is do to security concerns... One of the 
best things you can do for yourself is buff-up on some basic security 
concepts when dealing with sessions and persistence.

http://us3.php.net/session

Just cause I appreciate Harry's thoughts...
http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

http://phpsec.org/projects/guide/4.html

Chris, has much changed in your thinking here?
http://talks.php.net/show/phpworks2004-php-session-security

and segfault...
http://segfaultlabs.com/files/pdf/php-session-security.pdf

-Ed



More information about the talk mailing list