FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Best practice, (secure), to save session data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Best practice, (secure), to save session data? [message #178406 is a reply to message #178405] Thu, 14 June 2012 16:30 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 6/14/2012 8:52 AM, Chris Davies wrote:
> Simon<bad(at)example(dot)com> wrote:
>> the way I see it, if they can get the session cookie then they can
>> just as well access the base64_encoded data anyway.
>
> Almost.
>
> 1. If you put the data in the session cookie as base64 then it can be
> decoded and viewed any time someone likes. No security.
>
> 2. If you encrypt the data into the cookie using a secret known only to
> the website then at least someone has to go to the bother of trying to
> brute force the data string, but they have as much time as they like to
> do so. Password security.
>

Incorrect. They don't need to break the string. All they have to do is
send the cookie. The server doesn't care which client the cookie came from.

> 3. If you put a session key in the cookie with, say, a 4 hour timeout on
> the webserver side where the real data is stored, then after the timeout
> has expired the session key is useless to anyone trying to obtain your
> client's data. Time security.
>

Yes, but if there's personal data, 4 hours may be too long.

> You have to trade off password-based vs time-based security. Generally
> #3 is the preferred solution.
>
> Chris


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Stats comp.lang.php (last 7 days)
Next Topic: Is spl_object_hash unique in the SQL sense? Can it be used as a unique SQL db column?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 22:11:45 GMT 2024

Total time taken to generate the page: 0.04313 seconds