O'Reilly Open Source Convention
Books Safari Bookshelf Conferences O'Reilly Network

Arrow Home
Arrow Registration
Arrow Speakers
Arrow Keynotes
Arrow Tutorials
Arrow Sessions
Arrow At-a-Glance
Arrow Wiki
Arrow BOFs
Arrow Events
Arrow Exhibitors
Arrow Sponsors
Arrow Hotel/Travel
Arrow Venue Map
Arrow See & Do
Arrow Tips for
Arrow Press
Arrow Mail List



Securing PHP Sessions
Chris Shiflett, Principal, OmniTI Computer Consulting, Inc.

Track: PHP
Date: Friday, July 30
Time: 10:45am - 11:30am
Location: Salon C


PHP's native session mechanism provides web developers with all of the tools they need to create stateful PHP applications. In this talk, Shiflett explains how to take this one step further and secure your sessions to help complicate impersonation as well as defend against various types of attacks.

By taking a detailed look at the HTTP transactions that take place as users interact with a web application, you will gain important insight into the challenge of maintaining state. You will learn how to identify patterns in a web browser's requests to create a virtual fingerprint as well as how to leverage multiple identifiers.

Beginning with the most basic example of implementing sessions with PHP, Shiflett shows exactly what is required to impersonate a user. This basic example is strengthened by the introduction of a few different techniques. As each technique is introduced and explained, the resulting user experience is contrasted with a sample attack required to impersonate the user. By the end, you should have a much clearer understanding of sessions and walk away with some useful techniques that you can implement in your own applications.

O'Reilly Home | Privacy Policy

© 2004, O'Reilly Media, Inc.