downloads | documentation | faq | getting help | mailing lists | licenses | wiki | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

Our source is open

The syntax highlighted source is automatically generated by PHP from the plaintext script. If you're interested in what's behind the several functions we used, you can always take a look at the source of the following files:

Of course, if you want to see the source of this page, we have it available. You can also browse the SVN repository for this website on svn.php.net.

Source of: /manual/en/session.security.php

<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/shared-manual.inc';
$TOC = array();
$PARENTS = array();
include_once dirname(__FILE__) ."/toc/book.session.inc";
$setup = array (
  'home' =>
  array (
    0 => 'index.php',
    1 => 'PHP Manual',
  ),
  'head' =>
  array (
    0 => 'UTF-8',
    1 => 'en',
  ),
  'this' =>
  array (
    0 => 'session.security.php',
    1 => 'Sessions and security',
  ),
  'up' =>
  array (
    0 => 'book.session.php',
    1 => 'Session Handling',
  ),
  'prev' =>
  array (
    0 => 'session.customhandler.php',
    1 => 'Custom Session Handlers',
  ),
  'next' =>
  array (
    0 => 'ref.session.php',
    1 => 'Session Functions',
  ),
);
$setup["toc"] = $TOC;
$setup["parents"] = $PARENTS;
manual_setup($setup);

manual_header();
?>
<div>
 <h1>Sessions and security</h1>

 <p class="para">
  External links: <a href="http://www.acros.si/papers/session_fixation.pdf" class="link external">&raquo; Session fixation</a>
 </p>
 <p class="para">
  The session module cannot guarantee that the information you store
  in a session is only viewed by the user who created the session. You need
  to take additional measures to actively protect the integrity of the
  session, depending on the value associated with it.
 </p>
 <p class="para">
  Assess the importance of the data carried by your sessions and deploy
  additional protections -- this usually comes at a price, reduced
  convenience for the user.  For example, if you want to protect users from
  simple social engineering tactics, you need to enable
  <i>session.use_only_cookies</i>.  In that case,
  cookies must be enabled unconditionally on the user side, or
  sessions will not work.
 </p>
 <p class="para">
  There are several ways to leak an existing session id to third parties.
  A leaked session id enables the third party to access all resources which
  are associated with a specific id.  First, URLs carrying session ids.  If
  you link to an external site, the URL including the session id might be
  stored in the external site&#039;s referrer logs. Second, a more active
  attacker might listen to your network traffic. If it is not encrypted,
  session ids will flow in plain text over the network. The solution here
  is to implement SSL on your server and make it mandatory for users.
 </p>
</div>
<?php manual_footer(); ?>
 
show source | credits | sitemap | contact | advertising | mirror sites