5.3. Keeping Sessions Secure
Session technology is the method by which modern Web applications keep track of state in the inherently state-free world of the HTTP protocol. Session data is stored in the $_SESSIONS superglobal array, keyed on a unique session ID. When users send requests to the Web server, they include their session ID, which allows the application to retrieve and use their session data. How sessions work is explained in detail in Book VI, Chapter 2.
Unless a user has cookies turned off, the session ID is passed from the browser to the Web server through a cookie. If the cookie is turned off, the session ID can be passed through the URL or with a POST form.
5.3.1. Use cookies
Normally, cookies are stored as tiny files on the user's hard drive. Session cookies are kept in memory only, so if the user closes his or her browser, the session is invalidated. If the user didn't mean to close the browser, he or she needs to log in again, but that's a small price to pay to prevent session hijacking or fixation.
Passing the session ID via the URI is the only way, when passing without an HTML form, to provide sessions to users who have cookies turned off, but it's also a much more dangerous method because the session ID is passed in plain sight, referred to as using a transparent session ID. Someone eavesdropping on the network can sniff out the session ID effortlessly. The greater risk is that the legitimate user can copy the URI and send it (usually via insecure e-mail ...
Get PHP & MySQL® Web Development All-in-One Desk Reference for Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
