php, sessions and webapp security

gregsmith

Hi there,

I was wondering what tips people can give me on security. I've just started using php sessions a bit more and have heard there are general security issues connected to them.

What are the main best practices to cover most security bases or are sessions secure enough?

On a side note, I hear it's php security month and they've already found some big holes. This should be great for the later versions of php.

Azala

1) Never ever trust user input
2) Make sure you do a session_regenerate_id when your user for example logs in to clear out any session riders (session fixation)

Sessions can be manipulated, what comes from a session must always be validated, all the time, everytime. Your next "fear" is that someone gets another persons session id and uses it on his own browser to "ride" on that users "state".

Thats all I can think of at this point.