News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paul Reinheimer's Blog:
Cookies don't replace Sessions
January 24, 2012 @ 09:26:20

In a new post to his blog Paul Reinheimer talks about replacing sessions with cookies and some of the (security) pitfalls that can come with it.

I've seen several instances where people have demonstrated the ease with which encrypted cookies can replace sessions within PHP. Michael Nitschinger wrote a piece recently demonstrating the switch with Lithium, while CodeIgniter does this by default (optionally encrypting). The problem is that while replacing sessions with cookies works, it introduces a few risks not present with native session support, and these risks tend to be under documented.

He gives an illustration of an attacker who sits between Amazon and one of their warehouses. Despite encrypting their order details, all it would take is the attacker to grab an order and copy it and resend (a "replay attack"). He's created an example application to illustrate the point (source on github). The attacker doesn't even have to know what the encrypted information contains - they only have to replicate it.

0 comments voice your opinion now!
cookies session cryptography advice security replay attack


blog comments powered by Disqus

Similar Posts

Kevin Schroeder's Blog: ZendCon 2010 Podcast - Unit Testing in Zend Framework 1.8

Reddit.com: Let's talk Character Encoding

Zend Developer Zone: PHP Security Tips #6 and #7

Christian Wenz's Blog: SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

Stefan Esser's Blog: Suhosin 0.9.20 and crypt() Thread Safety Vulnerability


Community Events

Don't see your event here?
Let us know!


interview language api application list opinion podcast yii2 example php7 laravel series introduction symfony voicesoftheelephpant project composer part2 framework community

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework