[nycphp-talk] session validation between http requests
Konstantin Rozinov
krozinov at gmail.com
Thu Aug 6 01:16:20 EDT 2009
Thanks for both suggestions.
On Sat, Aug 1, 2009 at 10:02 PM, John Campbell<jcampbell1 at gmail.com> wrote:
> On Sat, Aug 1, 2009 at 3:35 AM, Konstantin Rozinov<krozinov at gmail.com> wrote:
>
>> Any ideas, comments, or suggestions would be greatly welcomed!
>
> For improved security, you should not do:
>
>> header('Location: /logout');
>
> but rather invalidate the session right there. Your code relies on
> the attacker actually following redirects to unset the session.
> People who hijack sessions don't follow redirects.
>
> I did a test to see if this would actually be valuable, and from my
> access log file the most common user agent only had 3% of the traffic,
> so I think there is some value to this approach. I think 'httponly'
> cookies is probably a better XSS attack mitigation strategy in the
> long run (though there is no reason you can't do both).
>
> In php 5.2+ the option is:
> ini_set("session.cookie_httponly", 1);
>
> It is supported by FF 3+, IE7+, and Safari 4+
>
> Regards,
> John Campbell
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
More information about the talk
mailing list