On Sat, Aug 1, 2009 at 3:35 AM, Konstantin Rozinov<[email protected]> wrote:
> Any ideas, comments, or suggestions would be greatly welcomed!
For improved security, you should not do:
> header('Location: /logout');
but rather invalidate the session right there. Your code relies on
the attacker actually following redirects to unset the session.
People who hijack sessions don't follow redirects.
I did a test to see if this would actually be valuable, and from my
access log file the most common user agent only had 3% of the traffic,
so I think there is some value to this approach. I think 'httponly'
cookies is probably a better XSS attack mitigation strategy in the
long run (though there is no reason you can't do both).
In php 5.2+ the option is:
ini_set("session.cookie_httponly", 1);
It is supported by FF 3+, IE7+, and Safari 4+
Regards,
John Campbell
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
