Re: Client-Side Session Data

Vincent Delporte wrote:
On Sun, 17 Dec 2006 23:33:23 GMT, Sanders Kaufman <bucky@xxxxxxxxxxx>
wrote:
When you have a session going, I know that PHP stores a session
token on the client, but does it keep the session *data* on the
client, as well?

BTW, here's an article that just came out on dangerous ways to use
cookies:

How Not To Use Cookies

http://www.informit.com/guides/printerfriendly.asp?g=security&seqNum=232&rl=1


Yup, it breaks down to some very simple rules:
1. HTTPS. No discussion, don't assume anything if you haven't got it.

2. Userdata belongs on the server, and stays on the server. Users know
their own password, emailadres, etc, and why transfer logged in status &
rights to and from the user? THe only place where they're needed is on the
server itself...

3. Using Cookies to keep track of logged in visitors ARE handy. They should
have random, unguessable values, and absolutely nothing to with their
actual information. Their just an random ID for you, the data that they
represent you can link on the server.

4. Do not keep users logged in. Session time out and cookies, if still
present, become useless for anyone trying to use it later. Explain that to
people who don't want to remember passwords.

5. Do not use the same ID purposefully twice (allthough it might occur,
chances should be very slim). A user logs in, and gets a random id.

6. And finally THE golden rule: never, ever trust user input. If you expect
a number, make sure it's a number. If you expect only certain characters,
make sure there are no other. If you cannot escape the fact that users have
to enter an unknown text, use the escaping tools of characters at your
disposal. Be very, very weary for SQL injection.

There are others, but these are the most important imho. There are others,
like keep a log what users do from what location, but that's usually only
needed when is has gone wrong, and you have to track it back, never save a
plain password, do not display errors in you code should it break for some
reason, error-displaying is for development, etc.
--
Rik Wasmus


.

Relevant Pages

  • Re: SSL/TLS & renegotiation and Internet Explorer
    ... When IE closes the connection with the server and prompts the user to choose ... recovery logic the SSL session is discarded. ... If the user only has one suitable client certificate, ...
    (microsoft.public.security)
  • Re: RDP Printing by station
    ... flagged as non-printing stations can not print for ANY users. ... multiple NIC's on the terminal server. ... I'd then just have to ensure that the client stations that are ... session is limited to NIC # 1. ...
    (microsoft.public.windows.terminal_services)
  • Re: Attempt to de-mystify AJAX
    ... >>maintaining a session via URL is not a problem. ... >> around cookies and JS, but it seems to be tough. ... >> as needed back to the server. ... but as I mentioned before - a non-dynamic request by the browser can ...
    (comp.databases.pick)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Trying to setup FreeNX
    ... I've installed FreeNX server and the NX client from ... Below is a copy of the failure as recorded by my NX client trying to ... NX> 103 Welcome to: bhf user: bob ... NX> 703 Session type: unix-kde ...
    (alt.os.linux.suse)