Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition

Summary

We have continued our survey of potential threats to the safety of your users' data by abusers who take advantage of vulnerabilities in your scripts, dealing in this chapter with abuse of sessions.

After describing exactly what sessions are and how they work, we discussed two common kinds of session abuse, either hijacking or fixating them. In both cases, the abusers are attempting to use someone else's authorized access to carry out their own nefarious purposes.

We then discussed a series of possible solutions:

Protect your sessions with SSL or TLS, which will encrypt the entire transaction.
Insist on using cookies rather than $_GET variables.
Time sessions out.
Regenerate session IDs when users change status.
Rely on tested code abstraction. ...

Get Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition by Chris Snyder, Michael Southwell, Thomas Myer

Summary

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly