php security for cookies and sessions -

-

regarding php security cookies , sessions, have done far prevention of attacks. have done incorrectly/unsafely?

login.php

 if ($username==$dbusername&&$hashed_password==$dbpassword){  setcookie('username[0]',$username,time()+(60*60*24*365)); setcookie('username[1]',$userid,time()+(60*60*24*365)); setcookie('password',$hashed_password,time()+(60*60*24*365));  if($admin=='1') { setcookie('username[3]',$admin,time()+(60*60*24*365));   } $_session['logged-in']=1;

logout.php

    $time = time()-(60*60*24*365); setcookie('username[0]', '',$time); setcookie('username[1]', '',$time); setcookie('username[2]', '',$time); setcookie('username[3]', '',$time); setcookie('password', '',$time); unset($_cookie['username']);  unset($_session['logged-in']);

i call session_regenerate_id() on everypage, correct stop session fixation/hijacking? 

<?php session_start(); session_regenerate_id();

here php.ini other ways provide security sessions & cookies

    session.use_trans_sid = 0 session.user_only_cookies = 1

any examples/impovements welcomed, learn better examples.

often regenerating session-id done, when changing access priviledges (e.g. after login).

the password should not stored in cookie on client side, not hash. it's not necessary store in session, use verify login, , after writing state session, should forget password.

if want safe site, need https connection ssl encryption. otherwise attacker can eavesdrop information sent plaintext, , use session-id (or whatever use authenticate user) impersonate user.


Comments

Post a Comment

Popular posts from this blog

c# - SVN Error : "svnadmin: E205000: Too many arguments" -

-
i trying reposotries using c# code process svncommand = null; var psi = new processstartinfo("svnadmin"); psi.redirectstandardoutput = true; psi.redirectstandarderror = true; psi.useshellexecute = false; psi.arguments= @"dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump"; using (svncommand = process.start(psi)) { var myoutput = svncommand.standardoutput; var myerror = svncommand.standarderror; debug.write("output :" + environment.newline + environment.newline + myoutput.readtoend() + environment.newline + "error :" + environment.newline + environment.newline + myerror.readtoend()); svncommand.close(); } when use dump command commandline svnadmin dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump it works fine when try ...
Read more

c# - Copy ObservableCollection to another ObservableCollection -

-
how copy observablecollection item observablecollection without reference of first collection? here observablecollection item value changes affecting both collections. code private observablecollection<ratemodel> _allmetalrate = new observablecollection<ratemodel>(); private observablecollection<ratemodel> _metalrateondate = new observablecollection<ratemodel>(); public observablecollection<ratemodel> allmetalrate { { return this._allmetalrate; } set { this._allmetalrate = value; notifypropertychanged("metalrate"); } } public observablecollection<ratemodel> metalrateondate { { return this._metalrateondate; } set { this._metalrateondate = value; notifypropertychanged("metalrateondate"); } } foreach (var item in metalrateondate) allmetalrate.add(item); what causing , how can solve it? you need clone object referenced item before it's a...
Read more

All overlapping substrings matching a java regex -

-
is there api method returns (possibly overlapping) substrings match regular expression? for example, have text string: string t = 04/31 412-555-1235; , , have pattern: pattern p = new pattern("\\d\\d+"); matches strings of 2 or more characters. the matches are: 04, 31, 412, 555, 1235. how overlapping matches? i want code return: 04, 31, 41, 412, 12, 55, 555, 55, 12, 123, 1235, 23, 235, 35. theoretically should possible -- there obvious o(n^2) algorithm enumerates , checks substrings against pattern. edit rather enumerating substrings, safer use region(int start, int end) method in matcher . checking pattern against separate, extracted substring might change result of match (e.g. if there non-capturing group or word boundary check @ start/end of pattern). edit 2 actually, it's unclear whether region() expect zero-width matches. specification vague, , experiments yield disappointing results. for example: string line = "xx90xx"; strin...
Read more