Chris Shiflett, Principal, OmniTI Computer Consulting, Inc.
Date: Friday, July 30
Time: 10:45am - 11:30am
Location: Salon C
PHP's native session mechanism provides web developers with all of the tools they need to create stateful PHP applications. In this talk, Shiflett explains how to take this one step further and secure your sessions to help complicate impersonation as well as defend against various types of attacks.
By taking a detailed look at the HTTP transactions that take place as users interact with a web application, you will gain important insight into the challenge of maintaining state. You will learn how to identify patterns in a web browser's requests to create a virtual fingerprint as well as how to leverage multiple identifiers.
Beginning with the most basic example of implementing sessions with PHP, Shiflett shows exactly what is required to impersonate a user. This basic example is strengthened by the introduction of a few different techniques. As each technique is introduced and explained, the resulting user experience is contrasted with a sample attack required to impersonate the user. By the end, you should have a much clearer understanding of sessions and walk away with some useful techniques that you can implement in your own applications.