[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PHP Session problems

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] PHP Session problems
From: Tom Potts <tompotts@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 11 May 2007 12:50:15 +0100
Content-disposition: inline

 If you want to be secure then the only data you should ever store in a cookie 
is a session ID and that session ID should be created in such a way as to 
make forging it nigh on impossible and with sensible timeouts on client and 
server. And remember some people/institutions wont allow cookies so you 
should be able to offer alternatives - generally the query string (ie 
URL?sessioninfo=encryptedstring).
The server should be used for all other information - userinfo, shopping list 
etc.
Not only is this good practice but it makes debugging a hell of a lot easier!
I'm trying not to be too technical here!
Tom te tom te tom


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] PHP Session problems
- From: Anton Channing

References:
- [LUG] PHP Session problems
  - From: Robin Cornelius
- Re: [LUG] PHP Session problems
  - From: Anton Channing
- Re: [LUG] PHP Session problems
  - From: Simon Waters

Prev by Date: Re: [LUG] Thanks again BUT!
Next by Date: Re: [LUG] Are we too technical for our own good ?
Previous by thread: Re: [LUG] PHP Session problems
Next by thread: Re: [LUG] PHP Session problems
Index(es):
- Date
- Thread