Securing Pages

Anon

I have been looking for a good secure way to secure all of my php pages. I was wondering if any one had some suggestions or a point in the right direction. I see their are a couple of opensource phpSecurity programs out their but I wanted to see what the seriour php programs are doing out there?

thanks

Anon

aaa

Anon

What manner of security are you looking for?

Anon

I have the same problem my self, How or what is the best way to secure a page?

In what manner? I guess, what I need is the way to load a page if a visitor is authorized to do so.

I've tried several way (including phplib) but its too much for a small site.

thx.

Anon

You can use a login page, where the suppied username and password are checked off against a database and, if there's a match, set a session variable that says they're allowed to look at locked pages - sort of like being issued a backstage pass.

Each locked page first retrieves the session variable and checks that it's valid. If yes, the page continues to be processed, otherwise they're redirected back to the login page and the script exits.

That's just an outline, of course.

Anon

But everybody having access to the Sessid, wheter he peeks on it or snifs it on the net, can then hijack the session.

Assume, i always append sessid on the url.

Anon

Sticking the session ID on the URL smells bad - it clutters up the URL, contaminates bookmarks, and winds up in the browser history.

For sniffed sessions being hijacked, check the IP address of where the request is coming from.

yusuf

I'm avoiding cookies for compatibility reason.
About checking the remote IP, that's a nood a good idea for proxies.

Anon

If you use PHP's session management (and especially if it was built with --enable-trans-sid), then if cookies aren't available it will failover to stashing the session id in the URL.