Moving discussion to fw-auth.
Hi Depace,
Is there a specific section, paragraph, or example that is confusing?
For each risk relating to session hijacking and session fixation, a
suggestion has been included in the manual to minimize the risk. I've
scanned through docs, and added additional content (
http://framework.zend.com/wiki/x/ikI ), which will become live within an
hour. For example, avoiding XSS vulnerabilities helps preventing
session hijacking:
http://en.wikipedia.org/wiki/Cross_site_scripting
As another example, the risk posed by sharing "save_path" between PHP
applications is addressed by simply setting the save_path to a unique
value for each PHP application, where the value corresponds to a
protected directory that can not be read or viewed by potential
attackers, just like we protect our home directories on shared web hosts
by removing world read/write/execute permissions.
We do not yet have an official tutorial for the Zend Framework at the
moment that covers Zend_Session, although this is planned :)
I do not like to give the following summary without the detailed
explanations in the manual, since security precautions often depend on
the circumstances, and "one size" certainly does not work for everyone.
Briefly, we could summarize one possible scenario with:
myapp.ini
===================
[sandbox : live]
save_path = /some/thing/protected/from/other/apps/and/user
name = name_unique_to_your_installed_app_and_server
use_only_cookies = on
remember_me_seconds = 864000
/index.php
====================
require_once 'Zend/Session.php';
$config = new Zend_Config_Ini('myapp.ini', 'sandbox');
require_once 'Zend/Session.php';
Zend_Session_Core::setOptions($config->asArray());
Zend_Session_Core::regenerateId(); // more bandwidth, but extra cautious
In actions
======================
$userProfileNamespace = new Zend_Session('profile');
echo $userProfileNamespace->name;
$userProfileNamespace->lastRequest = time();
// etc.
depace wrote:
hi
is there a good tutorial for zend_session which also shows how to
protect against the session hijacking (security)?
zf manual is very confusing... and i'm confused how to use it.
thankx
--
Cheers,
Gavin
Which ZF List?
=================
Everything, except the topics below: [email protected]
Authorization, Authentication, ACL, Access Control, Session Management
[EMAIL PROTECTED]
Tests, Caching, Configuration, Environment, Logging
[EMAIL PROTECTED]
All things related to databases
[EMAIL PROTECTED]
Documentation, Translations, Wiki Manual / Tutorials
[EMAIL PROTECTED]
Internationalization & Localization, Dates, Calendar, Currency, Measure
[EMAIL PROTECTED]
Mail, MIME, PDF, Search, data formats (JSON, ...)
[EMAIL PROTECTED]
MVC, Controller, Router, Views, Zend_Request*
[EMAIL PROTECTED]
Community Servers/Services (shell account, PEAR channel, Jabber)
[EMAIL PROTECTED]
Web Services & Servers (HTTP, SOAP, Feeds, XMLRPC, REST)
[EMAIL PROTECTED]
How to un/subscribe: http://framework.zend.com/wiki/x/GgE
