Thanks for both suggestions.
On Sat, Aug 1, 2009 at 10:02 PM, John Campbell<[email protected]> wrote: > On Sat, Aug 1, 2009 at 3:35 AM, Konstantin Rozinov<[email protected]> wrote: > >> Any ideas, comments, or suggestions would be greatly welcomed! > > For improved security, you should not do: > >> header('Location: /logout'); > > but rather invalidate the session right there. Your code relies on > the attacker actually following redirects to unset the session. > People who hijack sessions don't follow redirects. > > I did a test to see if this would actually be valuable, and from my > access log file the most common user agent only had 3% of the traffic, > so I think there is some value to this approach. I think 'httponly' > cookies is probably a better XSS attack mitigation strategy in the > long run (though there is no reason you can't do both). > > In php 5.2+ the option is: > ini_set("session.cookie_httponly", 1); > > It is supported by FF 3+, IE7+, and Safari 4+ > > Regards, > John Campbell > _______________________________________________ > New York PHP User Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/show_participation.php > _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
