diff --git a/reference/session/reference.xml b/reference/session/reference.xml index 60c3399e3f..740d1c8f59 100644 --- a/reference/session/reference.xml +++ b/reference/session/reference.xml @@ -1,5 +1,5 @@ - + Session handling functions Sessions @@ -50,32 +50,32 @@ Sessions and security Using sessions, does not mean, you can be absolutely sure, that - the session data can only be viewed by that user. This is impor- - tant to keep in mind, when storing and displaying sensative + the session data can only be viewed by that user. This is important + to keep in mind, when storing and displaying sensitive information. When storing data into a session, one should always ask themselves, what the damage is, when somebody else views that information, or how your application is affected when this session is actually somebody else. - For instance, if somebody else takes a session, can he than post - a message in a forum, as that user and how big of a problem is that? - Or perhaps he can view what the original user was thinking of - ordering, because he gets access to that user's shopping cart. + For instance, if somebody else takes a session, can he then post + a message in a forum, as that user and how big of a problem is + that? Or perhaps he can view what the original user was thinking + of ordering, because he gets access to that user's shopping cart. Obviously for a flowershop, this is less dramatic, than for a - farmacy. + pharmacy. - Therefore, when dealing with sensative information, there should + Therefore, when dealing with sensitive information, there should always be additional methods to decide whether it is a valid - session. Sessions are not reliable as a secure - authentication mechanism. + session. Sessions are not reliable as a secure authentication + mechanism. - Sessions rely on the session ID, meaning one can 'steal' a session, - by stealing the session ID. This can be made harder, by using a cookie - specifically a session cookie, but does not in any way make it - impossible and still relies on the user closing all + Sessions rely on the session ID, meaning one can 'steal' a + session, by stealing the session ID. This can be made harder, by + using a cookie specifically a session cookie, but does not in any + way make it impossible and still relies on the user closing all browser windows, to expire the session cookie. Besides that, even session cookies can be sniffed on a network or logged by a proxyserver. @@ -179,10 +179,11 @@ - session.referer_check contains the substring you - want to check each HTTP Referer for. If the Referer was sent by the - client and the substring was not found, the embedded session id will - be marked as invalid. Defaults to the empty string. + session.referer_check contains the + substring you want to check each HTTP Referer for. If the + Referer was sent by the client and the substring was not + found, the embedded session id will be marked as invalid. + Defaults to the empty string. @@ -211,12 +212,13 @@ - session.use_only_cookies specifies whether the - module will only use cookies to - store the session id on the client side. Defaults to - 0 (disabled, for backward compatibility). Enabling - this setting prevents attacks involved passing session ids in URLs. - This setting was added in PHP 4.3.0. + session.use_only_cookies specifies whether + the module will only use + cookies to store the session id on the client side. Defaults + to 0 (disabled, for backward compatibility). + Enabling this setting prevents attacks involved passing session + ids in URLs. This setting was added in PHP + 4.3.0. @@ -248,8 +250,9 @@ - session.use_trans_sid whether transparent sid support - is enabled or not. Defaults to 0 (disabled). + session.use_trans_sid whether transparent + sid support is enabled or not. Defaults to + 0 (disabled). @@ -259,18 +262,21 @@ From PHP 4.2.0, trans-sid feature is always compiled. - URL based session management has addtional security risks compare to cookie based - session management. Users may send URL contains active session ID to their - friends by email or users may save URL contains session ID to their bookmark - and access your site with the same session ID always, for example. + URL based session management has additional security risks + compared to cookie based session management. Users may send + an URL that contains an active session ID to their friends by + email or users may save an URL that contains a session ID to + their bookmarks and access your site with the same session ID + always, for example. - url_rewriter.tags spefifies which html tags are - rewritten to include session id if transparent sid support is enabled. - Defaults to a=href,area=href,frame=src,input=src,form=fakeentry + url_rewriter.tags spefifies which html tags + are rewritten to include session id if transparent sid support + is enabled. Defaults to + a=href,area=href,frame=src,input=src,form=fakeentry