PHPDeveloper.org: Joseph Crawford's Blog: Going deep inside PHP sessions

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Dave Marshall's Blog: Competition: PHP Job Hunters Handbook up for grabs

Job Posting: LIVESTRONG.com/Demand Media Inc. Seeks Senior PHP Software Developer (Santa Monica, CA)

Job Posting: Children's Hospital Boston Seeks Open Source Web Developer (Boston, MA)

Job Posting: eReleases Seeks Zend/PHP Developer (Baltimore, MD)

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Job Posting: TEKSystems (Recruiter) Seeks PHP Web Application Developers (Tampa, FL)

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

News Archive

Site News: Blast from the Past - One Year Ago in PHP

Community News: phpGG Frontend Special

devReview.com: The Big List of PHP Frameworks

Kana Yeh's Blog: Review Ivo Jansch's Guide to Enterprise PHP development

Jani Hartikainen's Blog: Another idea for using models with forms

DevShed: PHP Programs to Prevent MySQL Injection or HTML Form Abuse

Misko Hevery's Blog: Guide: Writing Testable Code

Daniel Cousineau's Blog: Zend Framework Module Init Script (Controller Plugin)

Adobe Developer Connection: Integrated PHP and Flex Development with Zend Studio and Flex Builder

PHPFreaks.com: Protecting php applications with PHPIDS

Joseph Crawford's Blog:
Going deep inside PHP sessions

by Chris Cornutt February 23, 2007 @ 11:44:00

Security is becoming a more and more popular topic among PHP developers, and Joseph Crawford has followed the trend and written up his own look at the way PHP handles session and session information as it relates to the security for both the user and the server admin.

One aspect that I dislike about the internal PHP sessions is that they are stored in files on the hard disk (usually /tmp/) by default. This means anyone with access to the machine has access to read the session data. I prefer to store my session information in the database to add an extra layer of security.

He looks at the pitfalls of using this kind of setup (among them, multiple users being able to use one IP) and a simple method for creating a custom sessions handler to replace PHP's built-in one. His example works with a local database to handle saving and retrieving the session information. And, to make things unique, he generates a "fingerprint key" for each user's information to serve as a unique identifier rather than handling it on the connection.

0 comments voice your opinion now!
sessions custom handler security fingerprint sessions custom handler security fingerprint

Similar Posts

Community News: rPath Linux Updates PHP5 Packages

Chris Shiflett\'s Blog: Storing Sessions in a Database

Site News: Opinions on the Job Postings

Christian Wenz's Blog: SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

Community News: Joomla! Major Security Update - v1.0.10

Community Events

Don't see your event here?
Let us know!

All content copyright, 2009 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework