473,396 Members | 1,809 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > php vunerabilities in sessions

Join Bytes to post your question to a community of 473,396 software developers and data experts.

PHP Vunerabilities in sessions

AaronL
99
I'm developing a software package in php that uses a login system. I use verification by checking the username and password against the values in my mysql database. After I verify them, I'm using $_SESSION variables to pass through the software to determine if the username and password have been verified already and if not it redirects to the log-in page.

I've recently read about security exploits with $_POST and $_GET that I have already addressed, (at least I hope) my concern now is with session hijacking.
I want to make sure my software is 100% secure. So secure that it passes tests from sites like hackersafe etc...

What is the best way to make a login system with PHP that is secure? Eventually I am going to add an SSL certificate to the software as well.

Any tips involving security would be awesome. Thank you all again!
May 26 '10 #1
2 1522
AaronL
99
No advice for this??
Jun 5 '10 #2
Hi Aaron, sorry you didn't get a reply sooner. As I'm sure you're aware, session hijacking occurs when a third party intercepts the packets sent to the server by a logged-in user. When the user logs in and is authenticated, the server sets a session identifier cookie in the user's browser. Each time the user accesses a new page, the cookie data is transmitted again. If your users are not accessing your pages over a secure connection, then anyone with the technical knowledge and nothing better to do with their time could theoretically intercept that cookie data and use it to impersonate the registered user. So I'd say setting up an SSL is your first step.
That's not enough to make your system 100% secure though... I'm not sure what would be. I actually logged in to ask a question about that myself! I know that one critical element is to always escape any user-submitted data, and type-check it when possible (e.g. don't allow strings when you require a number). Best of luck to you.
Jun 22 '11 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

2
Sessions. Argh.
by: The Plankmeister | last post by:
Hi... I'm trying my hardest to understand fully how sessions work and how best to use them. However, all I can find is information that doesn't tell me anything other than that sessions store...
PHP
13
How to differentiate multiple sessions?
by: jing_li | last post by:
Hi, you all, I am a newbee for php and I need your help. One of my coworker and I are both developing a webpage for our project using php. We have a copy of the same files in different location...
PHP
3
Sessions emptied
by: Maxime Ducharme | last post by:
Hi group We have a problem with sessions in one of our sites. Sessions are used to store login info & some other infos (no objects are stored in sessions). We are using Windows 2000 Server...
ASP / Active Server Pages
3
How well do sessions scale?
by: Will Woodhull | last post by:
Hi, I'm new here-- I've been reading the group for a couple of days. Nice group; I like the way n00b33 questions are handled. I've been using a Javascript routine in index.html to determine a...
PHP
2
Possible to turn on/off cookieless sessions dynamically on a case by case basis at run-time?
by: Steve Franks | last post by:
According to the docs you tell ASP.NET to use cookieless sessions by setting a value in the config.web file. However, what if I wanted to determine at run time whether or not I wanted to use...
ASP.NET
12
Sessions never end (again) - Please help
by: D. Shane Fowlkes | last post by:
This is a repost (pasted below). Since my original post, I've double checked the system clock and set all IIS Session Timeout values to 10 minutes. Still ...the problem occurs. I've also...
ASP.NET
6
Trouble with huge amount of State Server Sessions Timed out
by: Daniel Walzenbach | last post by:
Hi, I have a web application which sometimes throws an “out of memory” exception. To get an idea what happens I traced some values using performance monitor and got the following values (for...
ASP.NET
22
sessions and domain names
by: magic_hat60622 | last post by:
Hi all. I've got an app that dumps a user id into a session after successful login. the login page is http://www.mydomain.com/login.php. If the user visits pages on my site without the www (i.e.,...
PHP
13
Frinavale
Sessions - How To Pass Information Between Web Pages
by: Frinavale | last post by:
One of the most fundamental topics in web design is understanding how to pass information collected on one web page to another web page. There are many different ways you could do this: Cookies,...
ASP.NET
3
Atli
PHP Sessions
by: Atli | last post by:
Introduction: Sessions are one of the simplest and more powerful tools in a web developers arsenal. This tool is invaluable in dynamic web page development and it is one of those things every...
PHP
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!