At 2:11 PM +1000 16/4/02, Brad Hubbard wrote: >On Tue, 16 Apr 2002 14:01, Manuel Lemos did align ASCII characters thusly: >> Probably the fastest way to keep session profile information is by >> serializing the data array into a string that will be encrypted and then >> stored in cookie. The security weakness of this method is that if the >> secret key leaks, hackers may use to forge new sessions. > >Is this documented anywhere?
What aspect of it do you want to see documentation for? Try: http://www.google.com/search?q=cookie+session+hijack I also have a bookmark to: http://cookies.lcs.mit.edu/ I recall that site has a link to a security study of high-profile sites and their insecure use of cookies. But the site is not reachable from here at present. >> A more secure but eventually less scalable method is to store the >> session data in a shared memory cache, so you minimize database accesses >> to just one after the server is restarted. This is probably the one you >> want to use as long you know how to deal with shared memory and >> semaphores. > >Is this documented anywhere? What aspect of it do you want to see documentation for? PHPLIB has session management via shared memory. I believe it's a little flaky, but certainly a good start. >My understanding was that htaccess authentication was more secure that >session based because of the porblems of session hijacking??? Aah, but does it scale? And do you want to run SSL for all page views? ...R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php