On May 29, 2013, at 11:05 PM, Paul M Foster <pa...@quillandmouse.com> wrote:
>> http://sperling.com/php/authorization/log-on.php
> I realize this is example code.
> My question is, in a real application where that $_SESSION['auth'] token
> would be used subsequently to gain entry to other pages, what would you
> use instead of the simple TRUE/FALSE value? It seems that someone (with
> far more knowledge of hacking than I have) could rather easily hack the
> session value to change its value. But then again, I pretty much suck
> when it comes to working out how you'd "hack" (crack) things.
> Paul


While the above link may be example code, it is still sound for production.

Keep in mind that everything in security comes down to a true/false condition. 
Do you let the person in or not!

Certainly there are attacks on session ids and one must deal with that. But 
that's the level of security we have today.

I could go through all the things you need to consider in protecting your 
session id (e.g., not accessing your bank accounts while having coffee at 
StartBucks) but that would defeat the purpose of attending one of my classes on 
the subject. :-)

If you are very concerned about security, then jump to a https protocol for 
those transactions; change session ids frequently; monitor the user's local 
environmental changes; time the session, and do a bunch of other stuff that 
will make it more and more difficult for your user to use your service. But for 
*most things* using a session id will  keep things relatively safe.




PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to