PHP and Security—Not Trivial

In stereotypical developer-cat fashion (because controlling developers is like “herding cats”), I flippantly tacked on PHP Security issues as a slam-dunkable after thought. Wrong! I’m on the second day of looking into PHP security issues. This is the tattered list:

• The main issue (for me) is protecting session state from theft. I am now aware that this is called Session Fixation in one scenario and Session Hijacking (an XSS exploit) in another.
• I am led to believe that Session-Hijacking countermeasures do not lead to perfect security. This belief comes from browsing http://phpsec.org/library/.
• Somehow, reading led to http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html.

rasx()