1 / 15

Secure Handling of Cookies and Sessions in PHP Applications

This chapter emphasizes the importance of securing sensitive information in web applications. It covers how to manage user sessions securely by avoiding the storage of sensitive data in cookies and instead utilizing session variables. Code snippets illustrate techniques such as checking the `HTTP_USER_AGENT` to prevent session hijacking. Additionally, there are methods to combat spam in form submissions through validation and sanitization techniques. The chapter further explains data validation strategies, stressing the principle that any data from external sources cannot be trusted.

crwys
Download Presentation

Secure Handling of Cookies and Sessions in PHP Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 13 Security Methods Part 1

  2. Cookies and Sessions • “Because important information is normally stored in sessions (you should never store sensitive data in cookies), security becomes more of an issue.”

  3. login.php • Script 12.12 on pages 397 • ch12\script_12_12\login.php $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); • The HTTP_USER_AGENT is a combination of the browser and operating system being used.

  4. loggedin.php • Script 12.13 on page 398 • ch12\script_12_13\loggedin.php if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT']) )) { // Need the functions: require ('includes/login_functions.inc.php'); redirect_user(); }

  5. Preventing Spam mail(to, subject, body, [headers]); • Enter the spam into the comments of “Contact Me” form. • In “Name:”, enter “me@example.com\nBcc:poorsap@example.org”

  6. Table 13.1 Spam Tip-offs

  7. email.php • Script 13.1 on pages 404-405 • ch13\email.php

  8. spam_scrubber() $very_bad = array('to:', 'cc:', 'bcc:', 'content-type:', 'mime-version:', 'multipart-mixed:', 'content-transfer-encoding:'); foreach ($very_bad as $v) { if (stripos($value, $v) !== false) return ''; }

  9. spam_scrubber() // Replace any newline characters with spaces: $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);

  10. email.php $scrubbed = array_map('spam_scrubber', $_POST); $body = "Name: {$scrubbed['name']}\n\nComments: {$scrubbed['comments']}"; mail('your_email@example.com', 'Contact Form Submission', $body, "From: {$scrubbed['email']}");

  11. Validation • “if data comes from the outside of the server, it can’t be trusted.” • Whitelist • Blacklist

  12. Type Validation Functions

  13. calculator.php • Script 13.2 on pages 410-1 • http://cscdb.nku.edu/csc301/frank/ch13/calculator1.php • ch13\script_13_02\calculator.php

  14. Typecasting $quantity = (int) $_POST['quantity']; $price = (float) $_POST['price']; $tax = (float) $_POST['tax'];

  15. Assignment #22 • http://cscdb.nku.edu/csc301/frank/ch12a/view_users.php • http://cscdb.nku.edu/csc301/frank/ch12a/login.php

More Related