Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Aidan Woods:
Secure Headers for PHP
Jan 09, 2017 @ 13:14:11

In a recent post to his site Aidan Woods shares information (and code) related to the use of secure headers in PHP applications. He's even created a package to help make it easier to drop them into a new or existing project without too much trouble.

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP. By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project. The project, SecureHeaders is available on GitHub.

He starts by covering why he created the library and what it can help you with including making things like a CSP policy easier to maintain. The article goes on to talk about the Content-Security-Policy header is and what kind of prevention it applies. He also shares how the package displays errors, modifies cookies to secure them (HTTPOnly and Secure flags) as well as provide a "safe mode" that "place an upper limit on things like HSTS and HPKP, and remove flags like includeSubDomains or preload until the header is manually added as a safe mode exception, or safe mode is disabled."

tagged: header security package project csp https cookies

Link: https://www.aidanwoods.com/blog/secure-headers-for-php

Aaron Saray:
Two Quick Tips for Securing PHP Sessions
Feb 15, 2016 @ 09:41:47

In a new post to his site Aaron Saray has shared two tips that can help you protect the information in your PHP sessions - two configuration options to enable that can enforce stricter standards and options enhancing their overall security.

Let’s talk a little bit about session fixation in PHP. Such a fun topic, right? Tons to get into here. But, let’s just touch the surface on two VERY SIMPLE things you can be doing now to make sure that your website is safe.

The two configuration options he mentions are ones that:

  • force the session identifier to use cookies (versus also allowing it from the URL)
  • enforce "strict mode" on the sessions

Each comes with a bit of description as to what the setting does and the recommended setting is to provide the most protection. One note, though: strict mode is only included in PHP 5.5.2 or greater.

tagged: session security tip strict mode cookies useonly phpini configuration setting

Link: http://aaronsaray.com/2016/two-quick-tips-for-securing-php-sessions

Paul Reinheimer's Blog:
Cookies don't replace Sessions
Jan 24, 2012 @ 09:26:20

In a new post to his blog Paul Reinheimer talks about replacing sessions with cookies and some of the (security) pitfalls that can come with it.

I’ve seen several instances where people have demonstrated the ease with which encrypted cookies can replace sessions within PHP. Michael Nitschinger wrote a piece recently demonstrating the switch with Lithium, while CodeIgniter does this by default (optionally encrypting). The problem is that while replacing sessions with cookies works, it introduces a few risks not present with native session support, and these risks tend to be under documented.

He gives an illustration of an attacker who sits between Amazon and one of their warehouses. Despite encrypting their order details, all it would take is the attacker to grab an order and copy it and resend (a "replay attack"). He's created an example application to illustrate the point (source on github). The attacker doesn't even have to know what the encrypted information contains - they only have to replicate it.

tagged: cookies session cryptography advice security replay attack

Link:

WebReference.com:
How to Interact with Web Forms (Part 1)
Jan 18, 2006 @ 07:13:05

On WebReference.com today, there's this new tutorial with an introduction to getting PHP to interact with web forms.

HTML forms are one of the key ingredients of any dynamic website because they can enable the users of a site to interact with it. Otherwise, websites are more or less static:They may be driven by a database and, therefore, regularly changing, but they look the same for each and every visitor. HTML forms can change that; therefore, using data from forms from within PHP is very important.

They give examples of how to send data back to a script from a form, reading that data (using superglobals), and what data will be returned from each form element type. From there, they get into specifics like dealing with magic quotes and saving the form data into a cookie...

tagged: interact web forms superglobals types magic qutotes cookies interact web forms superglobals types magic qutotes cookies

Link:

WebReference.com:
How to Interact with Web Forms (Part 1)
Jan 18, 2006 @ 07:13:05

On WebReference.com today, there's this new tutorial with an introduction to getting PHP to interact with web forms.

HTML forms are one of the key ingredients of any dynamic website because they can enable the users of a site to interact with it. Otherwise, websites are more or less static:They may be driven by a database and, therefore, regularly changing, but they look the same for each and every visitor. HTML forms can change that; therefore, using data from forms from within PHP is very important.

They give examples of how to send data back to a script from a form, reading that data (using superglobals), and what data will be returned from each form element type. From there, they get into specifics like dealing with magic quotes and saving the form data into a cookie...

tagged: interact web forms superglobals types magic qutotes cookies interact web forms superglobals types magic qutotes cookies

Link: