2. Broken Access Control
Instead of rolling your own access control solution, use PEAR modules.Auth does cookie-based authentication for you and Auth_HTTP does browser-based authentication.See Also:
3. Broken Account and Session Management
Use PHP’s built-in session management functions for secure, standardized session management. However, be careful how your server is configured to store session information. For example, if session contents are stored as world-readable files in /tmp, then any user that logs into the server can see the contents of all the sessions. Store the sessions in a database or in a part of the file system that only trusted users can access.To prevent network sniffers from scooping up session IDs, session-specific traffic should be sent over SSL. You don’t need to do anything special to PHP when you’re using an SSL connection, but you do need to specially configure your webserver.
See Also:
- PHP Manual: Session handling functions
- PHP Cookbook: Recipe 8.5 (“Using Session Tracking”), Recipe 8.6 (“Storing Sessions in a Database”)
No comments:
Post a Comment