[ciapug] Securing session variables

Lathrop Preston ciapug@cialug.org
Tue, 18 Nov 2003 09:43:47 -0600 

Unless someone gets access to the server and places a file to read out 
the session contents (at which point session/no-session is not an issue 
any more)

there really is no way for someone un-authorized to access session contents.

the only thing stored on the users computer is the session id (if using 
cookie based sessions, the default)

one additional measure you could try to do is check the referer header 
to insure that it is not an attempt to direct link in. (breaks in IE 
because IE does not send _any_ header for referer...)

I have had to deal with a lot of issues with php session handling for a 
large project I work on.

Lathrop

Chris Hettinger wrote:

> The application that I am writing deals with the input of patient
> information. I don't pass much at all in session variables, except a
> couple ID's. Really I was not sure how 'secure' session variables are
> from being seen, hence my question.
> 
> Just trying to cover my end.
> 
> 
> -----Original Message-----
> From: ciapug-admin@cialug.org [mailto:ciapug-admin@cialug.org]On Behalf
> Of Lathrop Preston
> Sent: Tuesday, November 18, 2003 8:51 AM
> To: ciapug@cialug.org
> Subject: Re: [ciapug] Securing session variables
> 
> 
> 
> I am not exactly certain what you are trying to accomplish here with
> this.
> 
> could you explain the need for this security.
> 
> Lathrop
> 
> Chris Hettinger wrote:
> 
>>What are your suggestions in regards to securing session variables in
> 
> web site applications?
> 
>>I am currently working on a project in which I am using session
> 
> variable to store some key identifiers so the next page(s) can use them.
> I am wondering if I could do anything to secure these variables between
> page transitions.
> 
>>Could I encode them in some way on page X, before redirecting to page
> 
> Y. Then having something decode it on page Y so it can be used ??
> 
>>-Chris Hettinger, Web Specialist
>>-IFMC/ENCOMPASS
>>-www.encompas.com
>>-(515) 279-8730
>>
>>
>>
>>CONFIDENTIALITY NOTICE:  This communication, including any attachment,
> 
> may contain confidential information and is intended only for the
> individual or entity to whom it is addressed.  Any review,
> dissemination, or copying of this communication by anyone other than the
> intended recipient is strictly prohibited.  If you are not the intended
> recipient, please contact the sender by reply email, delete and destroy
> all copies of the original message.'
> 
>>_______________________________________________
>>ciapug mailing list
>>ciapug@cialug.org
>>http://cialug.org/mailman/listinfo/ciapug
> 
> 
> 
> _______________________________________________
> ciapug mailing list
> ciapug@cialug.org
> http://cialug.org/mailman/listinfo/ciapug
> 
> 
> CONFIDENTIALITY NOTICE:  This communication, including any attachment, may contain confidential information and is intended only for the individual or entity to whom it is addressed.  Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited.  If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message.'
> 
> _______________________________________________
> ciapug mailing list
> ciapug@cialug.org
> http://cialug.org/mailman/listinfo/ciapug