I want to add some type of security token when a user is editing database content. I would like to check that the user has the authorization to edit and once that is establish I would like to have that token follow the user as they move through the edit pages. My thoughts are to set a session variable and then keep referring to that session variable. But my gut is telling me that something might be wrong with that idea. I guess I could keep requesting the info form the database at each page.
Asked
Active
Viewed 50 times
1
-
That would leave you vulnerable to [session hijacking](http://stackoverflow.com/questions/6483092/php-session-hijacking) – F. Stephen Q Sep 04 '15 at 15:53
-
that is exactly what I was looking for. now I have a direction to search. thank you – Mike Alberga Sep 04 '15 at 16:37
1 Answers
0
Yes, that is fine. Although you need to be careful:
- Employ TLS/SSL to encrypt the session identifier using HTTPS.
- Set the Secure Flag on the session cookie so that it is never leaked over plain HTTP.
- Employ HSTS to ensure users only connect to your site over HTTPS.
- Refresh the session token on login/logout to protect against session fixation.
- Never transmit the session identifier in the URL as it is vulnerable to leakage via
refererheader, history and proxy/server logs.
Check out the OWASP Session Management Cheat Sheet for further reading.
SilverlightFox
- 32,436
- 11
- 76
- 145