Learning PHP, MySQL, and JavaScript by Robin Nixon

Cookies should be transferred before a web page’s HTML, because they are sent as part of the headers.

To store a cookie on a web browser, use the set_cookie function.

To destroy a cookie, reissue it with set_cookie but set its expiration date in the past.

Using HTTP authentication, the username and password are stored in $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

The md5 function is a powerful security measure, because it is a one-way function that converts a string to a 32-character hexadecimal number that cannot be converted back, and is therefore almost uncrackable.

When a string is salted, extra characters (known only by the programmer) are added to it before md5 conversion. This makes it nearly impossible for a brute force dictionary attack to succeed.

A PHP session is a group of variables unique to the current user.

To initiate a PHP session, use the session_start function.

Session hijacking is where a hacker somehow discovers an existing session ID and attempts to take it over.

Session fixation is the attempt to force your own session ID onto a server rather than letting it create its own.