Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>As of your code, <code>session_set_cookie_params()</code> isn't called in any case. Therefore I propose to do this:</p> <pre><code>session_set_cookie_params(0); session_start(); if (isset($_POST['username']) &amp;&amp; isset($_POST['password'])) { ... </code></pre> <p>Note, that's actually useful to call <code>session_set_cookie_params()</code> always for session cookies.</p> <blockquote> <p><strong>Generate a new session-ID at each user level change</strong></p> </blockquote> <p>To protect your applications against attackers, it is absolutely required to change the sessionID after each change of the role of a user:</p> <ul> <li>Anonymous user -> Logged in user</li> <li>Logged in user -> anonymous user</li> <li>Logged in user -> Administrative logged in user</li> <li>...</li> </ul> <p>Thus, if user gets logged in or logged off, please <strong>regenerate the session ID</strong> like so:</p> <pre><code>session_regenerate_id( true ); </code></pre> <p>Have a look in <a href="https://www.owasp.org/" rel="nofollow">OWASP</a>'s <a href="https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet" rel="nofollow">PHP security cheat sheet</a>. </p> <p><strong>Session-files get deleted regularly</strong></p> <p>Using PHP's standard session policy, sessions get mapped to regular files, so called session-files. If the user closes his browser, the session-file keeps living in the file system. Quite likely, the <strong>operation system is going to delete the session-file once a day</strong> (by night). </p> <p>Thus, if a user comes back a day later, the sessionID cookie points to a <strong>session-file, which might no longer be available</strong>.</p> <p><strong>The case of public PCs</strong></p> <p>Additionally imagine a browser running on a public PC: If user closes his browser and a new user logs in, the other <strong>user gets automatically logged</strong> in.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload