yohgaki Fri Aug 16 20:32:26 2002 EDT
Modified files:
/phpdoc/en/reference/session reference.xml
Log:
Fixed typo. Patch by Martin Samesch <[EMAIL PROTECTED]>
Index: phpdoc/en/reference/session/reference.xml
diff -u phpdoc/en/reference/session/reference.xml:1.9
phpdoc/en/reference/session/reference.xml:1.10
--- phpdoc/en/reference/session/reference.xml:1.9 Wed Aug 14 18:25:22 2002
+++ phpdoc/en/reference/session/reference.xml Fri Aug 16 20:32:26 2002
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.9 $ -->
+<!-- $Revision: 1.10 $ -->
<reference id="ref.session">
<title>Session handling functions</title>
<titleabbrev>Sessions</titleabbrev>
@@ -50,32 +50,32 @@
<title>Sessions and security</title>
<para>
Using sessions, does not mean, you can be absolutely sure, that
- the session data can only be viewed by that user. This is impor-
- tant to keep in mind, when storing and displaying sensative
+ the session data can only be viewed by that user. This is important
+ to keep in mind, when storing and displaying sensitive
information. When storing data into a session, one should always
ask themselves, what the damage is, when somebody else views that
information, or how your application is affected when this session
is actually somebody else.
</para>
<para>
- For instance, if somebody else takes a session, can he than post
- a message in a forum, as that user and how big of a problem is that?
- Or perhaps he can view what the original user was thinking of
- ordering, because he gets access to that user's shopping cart.
+ For instance, if somebody else takes a session, can he then post
+ a message in a forum, as that user and how big of a problem is
+ that? Or perhaps he can view what the original user was thinking
+ of ordering, because he gets access to that user's shopping cart.
Obviously for a flowershop, this is less dramatic, than for a
- farmacy.
+ pharmacy.
</para>
<para>
- Therefore, when dealing with sensative information, there should
+ Therefore, when dealing with sensitive information, there should
always be additional methods to decide whether it is a valid
- session. Sessions are not reliable as a secure
- authentication mechanism.
+ session. Sessions are not reliable as a secure authentication
+ mechanism.
</para>
<para>
- Sessions rely on the session ID, meaning one can 'steal' a session,
- by stealing the session ID. This can be made harder, by using a cookie
- specifically a session cookie, but does not in any way make it
- impossible and still relies on the user closing all
+ Sessions rely on the session ID, meaning one can 'steal' a
+ session, by stealing the session ID. This can be made harder, by
+ using a cookie specifically a session cookie, but does not in any
+ way make it impossible and still relies on the user closing all
browser windows, to expire the session cookie.
Besides that, even session cookies can be sniffed on a network or
logged by a proxyserver.
@@ -179,10 +179,11 @@
</listitem>
<listitem>
<simpara>
- <literal>session.referer_check</literal> contains the substring you
- want to check each HTTP Referer for. If the Referer was sent by the
- client and the substring was not found, the embedded session id will
- be marked as invalid. Defaults to the empty string.
+ <literal>session.referer_check</literal> contains the
+ substring you want to check each HTTP Referer for. If the
+ Referer was sent by the client and the substring was not
+ found, the embedded session id will be marked as invalid.
+ Defaults to the empty string.
</simpara>
</listitem>
<listitem>
@@ -211,12 +212,13 @@
</listitem>
<listitem>
<simpara>
- <literal>session.use_only_cookies</literal> specifies whether the
- module will <emphasis role="strong">only</emphasis> use cookies to
- store the session id on the client side. Defaults to
- <literal>0</literal> (disabled, for backward compatibility). Enabling
- this setting prevents attacks involved passing session ids in URLs.
- This setting was added in <literal>PHP</literal> 4.3.0.
+ <literal>session.use_only_cookies</literal> specifies whether
+ the module will <emphasis role="strong">only</emphasis> use
+ cookies to store the session id on the client side. Defaults
+ to <literal>0</literal> (disabled, for backward compatibility).
+ Enabling this setting prevents attacks involved passing session
+ ids in URLs. This setting was added in <literal>PHP</literal>
+ 4.3.0.
</simpara>
</listitem>
<listitem>
@@ -248,8 +250,9 @@
</listitem>
<listitem>
<simpara>
- <literal>session.use_trans_sid</literal> whether transparent sid support
- is enabled or not. Defaults to <literal>0</literal> (disabled).
+ <literal>session.use_trans_sid</literal> whether transparent
+ sid support is enabled or not. Defaults to
+ <literal>0</literal> (disabled).
</simpara>
<note>
<simpara>
@@ -259,18 +262,21 @@
From PHP 4.2.0, trans-sid feature is always compiled.
</simpara>
<simpara>
- URL based session management has addtional security risks compare to cookie
based
- session management. Users may send URL contains active session ID to their
- friends by email or users may save URL contains session ID to their bookmark
- and access your site with the same session ID always, for example.
+ URL based session management has additional security risks
+ compared to cookie based session management. Users may send
+ an URL that contains an active session ID to their friends by
+ email or users may save an URL that contains a session ID to
+ their bookmarks and access your site with the same session ID
+ always, for example.
</simpara>
</note>
</listitem>
<listitem>
<simpara>
- <literal>url_rewriter.tags</literal> spefifies which html tags are
- rewritten to include session id if transparent sid support is enabled.
- Defaults to
<literal>a=href,area=href,frame=src,input=src,form=fakeentry</literal>
+ <literal>url_rewriter.tags</literal> spefifies which html tags
+ are rewritten to include session id if transparent sid support
+ is enabled. Defaults to
+ <literal>a=href,area=href,frame=src,input=src,form=fakeentry</literal>
</simpara>
</listitem>
</itemizedlist>
--
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
