PHP session hacking

[webspider]

Before anyone complains this is purely for testing a new script I have developed to see if there are any obvious holes in it. You hear a lot about session hacking so I thought it was something worth learning more about.

I have developed a script for a login area to a simple CMS and I want to know how hackers get in and exploit sessions so that I know where I should be looking for holes. I'm not expecting anyone to post hacking code here, just pointers to what I should look out for.

Basically I'm using a form to post user and password to a session script that starts the session and starts a timer. Every time the user navigates inside the admin area the timer is reset but will log the person out if they are inactive for 20mins. Is this the right approach and have I missed anything obvious.

Thanks in advance for your time. -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --

[aventis]

PhpSec.org has a good security guide about php sessions.

link: phpsec.org/projects/guide/4.html -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --

[looney]

Try this out

store you sessions in database

mysql has a memory table type, its even faster than storing sessions in /tmp on the disk

you can also do fancy things like number of users online

and its secure

Warm regards -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --

[kirstan]

Quote:

Originally Posted by aventis

PhpSec.org has a good security guide about php sessions.

link: phpsec.org/projects/guide/4.html

Great link mate, was looking for something like that for a long time, thanks a lot. -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --