sigmasternchen/php-doc-en
1
0
Fork 0
mirror of https://github.com/sigmasternchen/php-doc-en synced 2025-03-15 16:38:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed typo. Patch by Martin Samesch <martin.samesch@vogelspinnenseite.de>

Browse source 
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@92338 c90b9560-bf6c-de11-be94-00142212c4b1
This commit is contained in:
Yasuo Ohgaki 2002-08-17 00:32:26 +00:00
parent 4746fae730
commit 43bf4f369f
1 changed files with 40 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
reference/session/reference.xml
View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.9 $ -->
<!-- $Revision: 1.10 $ -->
<reference id="ref.session">
<title>Session handling functions</title>
<titleabbrev>Sessions</titleabbrev>
@ -50,32 +50,32 @@
<title>Sessions and security</title>
<para>
Using sessions, does not mean, you can be absolutely sure, that
the session data can only be viewed by that user. This is impor-
tant to keep in mind, when storing and displaying sensative
the session data can only be viewed by that user. This is important
to keep in mind, when storing and displaying sensitive
information. When storing data into a session, one should always
ask themselves, what the damage is, when somebody else views that
information, or how your application is affected when this session
is actually somebody else.
</para>
<para>
For instance, if somebody else takes a session, can he than post
a message in a forum, as that user and how big of a problem is that?
Or perhaps he can view what the original user was thinking of
ordering, because he gets access to that user's shopping cart.
For instance, if somebody else takes a session, can he then post
a message in a forum, as that user and how big of a problem is
that? Or perhaps he can view what the original user was thinking
of ordering, because he gets access to that user's shopping cart.
Obviously for a flowershop, this is less dramatic, than for a
farmacy.
pharmacy.
</para>
<para>
Therefore, when dealing with sensative information, there should
Therefore, when dealing with sensitive information, there should
always be additional methods to decide whether it is a valid
session. Sessions are not reliable as a secure
authentication mechanism.
session. Sessions are not reliable as a secure authentication
mechanism.
</para>
<para>
Sessions rely on the session ID, meaning one can 'steal' a session,
by stealing the session ID. This can be made harder, by using a cookie
specifically a session cookie, but does not in any way make it
impossible and still relies on the user closing all
Sessions rely on the session ID, meaning one can 'steal' a
session, by stealing the session ID. This can be made harder, by
using a cookie specifically a session cookie, but does not in any
way make it impossible and still relies on the user closing all
browser windows, to expire the session cookie.
Besides that, even session cookies can be sniffed on a network or
logged by a proxyserver.
@ -179,10 +179,11 @@
</listitem>
<listitem>
<simpara>
<literal>session.referer_check</literal> contains the substring you
want to check each HTTP Referer for. If the Referer was sent by the
client and the substring was not found, the embedded session id will
be marked as invalid. Defaults to the empty string.
<literal>session.referer_check</literal> contains the
substring you want to check each HTTP Referer for. If the
Referer was sent by the client and the substring was not
found, the embedded session id will be marked as invalid.
Defaults to the empty string.
</simpara>
</listitem>
<listitem>
@ -211,12 +212,13 @@
</listitem>
<listitem>
<simpara>
<literal>session.use_only_cookies</literal> specifies whether the
module will <emphasis role="strong">only</emphasis> use cookies to
store the session id on the client side. Defaults to
<literal>0</literal> (disabled, for backward compatibility). Enabling
this setting prevents attacks involved passing session ids in URLs.
This setting was added in <literal>PHP</literal> 4.3.0.
<literal>session.use_only_cookies</literal> specifies whether
the module will <emphasis role="strong">only</emphasis> use
cookies to store the session id on the client side. Defaults
to <literal>0</literal> (disabled, for backward compatibility).
Enabling this setting prevents attacks involved passing session
ids in URLs. This setting was added in <literal>PHP</literal>
4.3.0.
</simpara>
</listitem>
<listitem>
@ -248,8 +250,9 @@
</listitem>
<listitem>
<simpara>
<literal>session.use_trans_sid</literal> whether transparent sid support
is enabled or not. Defaults to <literal>0</literal> (disabled).
<literal>session.use_trans_sid</literal> whether transparent
sid support is enabled or not. Defaults to
<literal>0</literal> (disabled).
</simpara>
<note>
<simpara>
@ -259,18 +262,21 @@
From PHP 4.2.0, trans-sid feature is always compiled.
</simpara>
<simpara>
URL based session management has addtional security risks compare to cookie based
session management. Users may send URL contains active session ID to their
friends by email or users may save URL contains session ID to their bookmark
and access your site with the same session ID always, for example.
URL based session management has additional security risks
compared to cookie based session management. Users may send
an URL that contains an active session ID to their friends by
email or users may save an URL that contains a session ID to
their bookmarks and access your site with the same session ID
always, for example.
</simpara>
</note>
</listitem>
<listitem>
<simpara>
<literal>url_rewriter.tags</literal> spefifies which html tags are
rewritten to include session id if transparent sid support is enabled.
Defaults to <literal>a=href,area=href,frame=src,input=src,form=fakeentry</literal>
<literal>url_rewriter.tags</literal> spefifies which html tags
are rewritten to include session id if transparent sid support
is enabled. Defaults to
<literal>a=href,area=href,frame=src,input=src,form=fakeentry</literal>
</simpara>
</listitem>
</itemizedlist>