PHP and Security—Not Trivial
In stereotypical developer-cat fashion (because controlling developers is like “herding cats”), I flippantly tacked on PHP Security issues as a slam-dunkable after thought. Wrong! I’m on the second day of looking into PHP security issues. This is the tattered list:
- The main issue (for me) is protecting session state from theft. I am now aware that this is called Session Fixation in one scenario and Session Hijacking (an XSS exploit) in another.
- I am led to believe that Session-Hijacking countermeasures do not lead to perfect security. This belief comes from browsing http://phpsec.org/library/.
- Somehow, reading led to http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html.