[ciapug] Securing session variables

[Chris Hettinger]

Thanks for the info on the that, Laith.

-----Original Message-----
From: Lathrop Preston [mailto:laith@prestonfam.org]
Sent: Tuesday, November 18, 2003 9:44 AM
To: ciapug@cialug.org
Subject: Re: [ciapug] Securing session variables



Unless someone gets access to the server and places a file to read out=20
the session contents (at which point session/no-session is not an issue=20
any more)

there really is no way for someone un-authorized to access session =
contents.

the only thing stored on the users computer is the session id (if using=20
cookie based sessions, the default)

one additional measure you could try to do is check the referer header=20
to insure that it is not an attempt to direct link in. (breaks in IE=20
because IE does not send _any_ header for referer...)

I have had to deal with a lot of issues with php session handling for a=20
large project I work on.

Lathrop

Chris Hettinger wrote:

> The application that I am writing deals with the input of patient
> information. I don't pass much at all in session variables, except a
> couple ID's. Really I was not sure how 'secure' session variables are
> from being seen, hence my question.
>=20
> Just trying to cover my end.
>=20
>=20
> -----Original Message-----
> From: ciapug-admin@cialug.org [mailto:ciapug-admin@cialug.org]On =
Behalf
> Of Lathrop Preston
> Sent: Tuesday, November 18, 2003 8:51 AM
> To: ciapug@cialug.org
> Subject: Re: [ciapug] Securing session variables
>=20
>=20
>=20
> I am not exactly certain what you are trying to accomplish here with
> this.
>=20
> could you explain the need for this security.
>=20
> Lathrop
>=20
> Chris Hettinger wrote:
>=20
>>What are your suggestions in regards to securing session variables in
>=20
> web site applications?
>=20
>>I am currently working on a project in which I am using session
>=20
> variable to store some key identifiers so the next page(s) can use =
them.
> I am wondering if I could do anything to secure these variables =
between
> page transitions.
>=20
>>Could I encode them in some way on page X, before redirecting to page
>=20
> Y. Then having something decode it on page Y so it can be used ??
>=20
>>-Chris Hettinger, Web Specialist
>>-IFMC/ENCOMPASS
>>-www.encompas.com
>>-(515) 279-8730
>>
>>
>>
>>CONFIDENTIALITY NOTICE:  This communication, including any attachment,
>=20
> may contain confidential information and is intended only for the
> individual or entity to whom it is addressed.  Any review,
> dissemination, or copying of this communication by anyone other than =
the
> intended recipient is strictly prohibited.  If you are not the =
intended
> recipient, please contact the sender by reply email, delete and =
destroy
> all copies of the original message.'
>=20
>>_______________________________________________
>>ciapug mailing list
>>ciapug@cialug.org
>>http://cialug.org/mailman/listinfo/ciapug
>=20
>=20
>=20
> _______________________________________________
> ciapug mailing list
> ciapug@cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>=20
>=20
> CONFIDENTIALITY NOTICE:  This communication, including any attachment, =
may contain confidential information and is intended only for the =
individual or entity to whom it is addressed.  Any review, =
dissemination, or copying of this communication by anyone other than the =
intended recipient is strictly prohibited.  If you are not the intended =
recipient, please contact the sender by reply email, delete and destroy =
all copies of the original message.'
>=20
> _______________________________________________
> ciapug mailing list
> ciapug@cialug.org
> http://cialug.org/mailman/listinfo/ciapug


_______________________________________________
ciapug mailing list
ciapug@cialug.org
http://cialug.org/mailman/listinfo/ciapug


CONFIDENTIALITY NOTICE:  This communication, including any attachment, =
may contain confidential information and is intended only for the =
individual or entity to whom it is addressed.  Any review, =
dissemination, or copying of this communication by anyone other than the =
intended recipient is strictly prohibited.  If you are not the intended =
recipient, please contact the sender by reply email, delete and destroy =
all copies of the original message.'