About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

PHP Session Security

My talk for php|works, PHP Session Security, is now online.

As with most of my talks, the slides only provide a vague outline. I hope to offer a more useful resource for session security (similar to the PHP Security Workbook) sometime soon.

About This Post

PHP Session Security was posted on Fri, 24 Sep 2004 at 18:30:51 GMT.

2 Comments

1. Christopher Thompson's GravatarChristopher Thompson said:

Great information. Do you know of any libraries or classes that centralize session management and provide features like those you discussed in your talk?

If not what would such a thing look like?

Fri, 24 Sep 2004 at 23:47:44 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

Felix Zaslavskiy sent me the following link:

http://www.zaslavskiy.net/extra/files/session.php

I haven't had a chance to review this implementation yet, but it looks like it might be the type of thing you're looking for.

If you do use it or review the implementation in any way, please let everyone know what you think.

Mon, 27 Sep 2004 at 04:53:03 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

php|tek

19 - 22 May 2009

At Sheraton Gateway Suites Chicago O'Hare, Chicago, Illinois.

OSCON

20 - 24 Jul 2009

At San Jose McEnery Convention Center, San Jose, California.

New Comments

Ronald wrote:

A little hard for a rookie like me, but useful. I also thought you'd like to know there is a grea...

Posted in A rev="canonical" HTTP Header
Alex wrote:

Aren't you forgetting that the session will expire if _write() is never called? That excludes ...

Posted in
Andy Mabbett wrote:

@Chris Shiflett, #4, belatedly: Google only accepts rel=canonical within the same domain. My s...

Posted in A rev="canonical" HTTP Header
Kenneth Udut wrote:

I've implemented this rev="canonical" idea on http://free.naplesplus.us in the hopes that it catc...

Posted in Save the Internet with rev="canonical"
Mark wrote:

After reading your article and all the comments, what I got out of this was that sessions are not...

Posted in

Browse Comments