PHP Magazine and Sessions
by Chris Shiflett
Related link: http://www.phpmag.net/
PHP Magazine has a free issue coming up on 15 Dec 2003 to celebrate the new monthly version of their magazine to be published in PDF format. A few weeks ago, I was asked to write the cover article, an offer I happily accepted.
My article discusses sessions. After covering some basics about HTTP, maintaining state, and cookies, I spend
the rest of the time discussing impersonation attacks and methods of prevention. My approach is to give readers the background information they need to make educated decisions about the techniques they employ, and then to contrast a few suggested techniques with the steps necessary to subvert them. I think this contrast provides a nice metric by which to measure the strength of each approach.
One important point that I mention in the article is that there is no perfect solution. While I introduce a few different techniques that can be used to complicate impersonation, I am hoping that my readers will think of many more and be willing to share them. If you have a favorite technique for securing your sessions, please contact me and describe it. In exchange, I will send you a reply with my review of your implementation, and I will also compile my favorites and share them in my blog or as a future (free) article.
What are your favorite techniques for securing sessions?