Lathrop Preston on Tue, 18 Nov 2003 09:44:59 -0600


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [ciapug] Securing session variables


Unless someone gets access to the server and places a file to read out the session contents (at which point session/no-session is not an issue any more)

there really is no way for someone un-authorized to access session contents.

the only thing stored on the users computer is the session id (if using cookie based sessions, the default)

one additional measure you could try to do is check the referer header to insure that it is not an attempt to direct link in. (breaks in IE because IE does not send _any_ header for referer...)

I have had to deal with a lot of issues with php session handling for a large project I work on.

Lathrop

Chris Hettinger wrote:

The application that I am writing deals with the input of patient
information. I don't pass much at all in session variables, except a
couple ID's. Really I was not sure how 'secure' session variables are
from being seen, hence my question.

Just trying to cover my end.


-----Original Message-----
From: ciapug-admin@xxxxxxxxxx [mailto:ciapug-admin@xxxxxxxxxx]On Behalf
Of Lathrop Preston
Sent: Tuesday, November 18, 2003 8:51 AM
To: ciapug@xxxxxxxxxx
Subject: Re: [ciapug] Securing session variables



I am not exactly certain what you are trying to accomplish here with
this.

could you explain the need for this security.

Lathrop

Chris Hettinger wrote:

What are your suggestions in regards to securing session variables in

web site applications?

I am currently working on a project in which I am using session 

variable to store some key identifiers so the next page(s) can use them.
I am wondering if I could do anything to secure these variables between
page transitions.

Could I encode them in some way on page X, before redirecting to page

Y. Then having something decode it on page Y so it can be used ??

-Chris Hettinger, Web Specialist
-IFMC/ENCOMPASS
-www.encompas.com
-(515) 279-8730



CONFIDENTIALITY NOTICE: This communication, including any attachment, 

may contain confidential information and is intended only for the
individual or entity to whom it is addressed.  Any review,
dissemination, or copying of this communication by anyone other than the
intended recipient is strictly prohibited.  If you are not the intended
recipient, please contact the sender by reply email, delete and destroy
all copies of the original message.'

_______________________________________________
ciapug mailing list
ciapug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/ciapug




_______________________________________________
ciapug mailing list
ciapug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/ciapug


CONFIDENTIALITY NOTICE: This communication, including any attachment, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message.'

_______________________________________________
ciapug mailing list
ciapug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/ciapug



_______________________________________________
ciapug mailing list
ciapug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/ciapug