While doing my weekly check of securityfocus.com for news of any new vunerabilities, I came across this excellent article on Web application security:
Securing web applications (session management).
I’m paranoid as anyone that knows me is aware of.. so this sort of thing really appeals to me..
The session management of both the downloader and stats counter both already roughly follow the suggestions made by that story. It would not really be possible to steal a session from one of the scripts because the session files and cookie strings are extremely long and random, the cookies are “session” cookies that disapear when the browser is closed, and the script itself removes any old session files each time its run, and in fact even if someone did manage to create a session the same as a previous valid session, they will still need to know the hash inside the session file that is based on the user and password of the login, (which is checked for, in every access of the admin screens.). Ironically, all of that is just protecting a screen of download counts (in the downloader script) and a bunch of web user statistics (in the stats counter and the advanced stats counters), for that sort of data, such protection is probably massive overkill, but I plan to use the same lib file (with some updating) as the basis for some e-commerce apps later on.
regards
Franki
