PHP stores information in sessions to keep track of what user someone has logged in as. The session variables has a session_id that can be taken through sniffing or man in the middle attacks. After they take your session_id they can apply it to their own computer and then they will be you until you log out and your session is destroyed. I would like to test these theries out to see how to make it impossible for this to work. I can track the user in one browser and not let them use that session_id in another browser. tracking IP addresses don't work because AOL changes your IP address every time you go to a new page.
Here are some links I am studying right now.
http://blogs.sitepoint.com/notes-on-php-session-security/
http://phpsec.org/projects/guide/4.html
http://blogs.sitepoint.com/php-security-blunders/
I think eventually I will want to go to a more secure method and not store anything other than a sessionid that is stored in the database that stores the other information that would normally be stored in a session variable like username, full name, if they are an employee and what page they are on or other information.
Read this page for information on how to use sessions in a database:
http://www.oracle.com/technetwork/articles/mclaughlin-phpid1-091467.html
No comments:
Post a Comment