#native_company# #native_desc#

Security Concerns when Developing PHP Applications Page 2

By PHP Builder Staff
on December 4, 2009

$_SESSION: This is handy for keeping users logged in, as a primitive example. Setting a session variable and then checking that it is still there when the page reloads is quite a common practice. SESSIONS are somewhat more secure than GET and POST, but suffer from their own problems too. It is not a good idea, for example, to store credit card numbers in a SESSION ARRAY as this session array might only die a few hours after leaving the site.
$_COOKIE: Cookies have a different purpose. Usually these will be used for REMEMBER ME login scripts, for example. If you check the “remember me” feature on the Gmail login, the next time you come back to Gmail you are still logged in, right? That is because Gmail set a cookie on your browser, telling it to remember your login details. Cookies are bad for sensitive data, as they sit around on your browser just waiting to be exploited. The nice thing about cookies are that you can set what domain they work on, as well as how long they should take to expire. The bad thing is developers get lazy and let them live for 1000000000000000000 seconds and do not stipulate a domain that they are valid for. I sure hope that developer did not code my bank’s website, because there are certainly going to be problems quite soon if he did.
Any other website with a script in them to read your browser’s cookies will find my credit card information quite handy (OK, who am I trying to kid? I should say “Someone’s Credit Card Information”) simply because the guy who developed the website did not bother to specifiy the domain, thus the cookie is available to all domains. That is BAD. A footnote on cookies is that they are used to track your movements and search and browsing history by marketing companies and the major search engines. Clear your cookies in your browser OFTEN. It is in your best interest.
In Conclusion
Hopefully you have learned that it is best to process the passing of information from one page to another by using a technique that best suites your needs. Basic navigation should use GET, while form submissions should use POST, and information for sustaining sessions should use SESSION. COOKIES are best used for domain sensitive information like REMEMBER ME.
Until next time,

Marc Steven Plotz