This morning I checked my email, then read about PHP Session security. I read a Sitepoint article: Notes on PHP Session Security and then The Truth about Sessions by Chris Shiflett.
I thought the article by Chris Shiflett was well written and easy to understand, however after reading all the comments I don't understand how his method actually adds any security at all. Basically, it's unlikely that a hacker will guess a user's session id, but they may gain it by intercepting information sent between the user and the server. Now if they can intercept the session id, it is highly likely that they are also intercepting all other headers and requests sent, and so will also spoof all the other headers as well as the session cookie, thus making your checking of the HTTP_USER_AGENT or whatever useless. All it will do is make more work for the server and more work for you to code. Comment #69 on the article seems to sum it up perfectly: Why Sessions can't be secured.
After lunch I played on Animal Crossing for quite a while. I spent most of my time clearing out my basement and cupboards to make room for my Pave collection. After that I did some work on my website, then I went on Animal Crossing again. Unfortunately the Annoying Ben Poyo wouldn't swap a Mario item for his Pave lamp. He wouldn't even swap a Pave Bureau (that he didn't have) plus a Mario item for the lamp. He said he needed a lamp and only wanted Pave or Mario stuff, so he'd only swap it for a Mario lamp or he'd swap it for the Pave Bureau if I agreed to sell him all my Mario stuff for 20,000 bells per item.
After dinner I went on Animal a bit more, then re-named/tagged some ELO albums I'd bought/downloaded. I checked my email and looked at some websites to see how they deal with contact forms. dpreview and Amazon just have plain forms - no captchas, no turing tests, no honeypots and no hidden fields with a session hash. Play.com seemed to have some hidden fields with hashes in.
I also checked deviantart, they don't display a contact form if you're not logged in, but do a have an email address complete with mailto: link in the page (I checked the source and it was there, so not inserted by javascript).
Ford's contact form seemed pretty simple as well. It did include multiple fields, where which ones were displayed depended on the Email Topic you choose, so I guess fields that shouldn't be filled out depending on the option you choose could be used as a honeypot. I didn't see any fields with session identifiers in them.
I was thinking about adding a turing test (random simple question that is easy to answer like 'What colour is an orange?') and a honeypot (input field hidden with CSS that spambots will fill out but humans won't), and a hash stored also in the $_SESSION variable (so you can check the form is being submitted from your site) to my contact form. I was also thinking of printing all links to my email address as a link to the contact form, then use javascript to convert these into my email address (and change the link as well). Then people without js can use the contact form and everyone else can email me or use the contact form if they prefer. However, since these large sites that I've checked don't seem to take these precautions I'm not sure if there's not much point. Adding the turing test would take the most time since ideally you want a few random questions and answers so a spambot can't be sure which question it is that the form is going to ask.
The weather today was overcast all day.
Food
Breakfast: Pink grapefruit marmalade toast sandwich; cup o' tea.
Lunch: Smoked ham with salad sandwich; clementine; cup o' tea.
Dinner: Minced Beef; gravy; cheese scones; green beans; potatoes; carrots; tomato ketchup. Pudding was a pancake with lemon juice and sugar. Coffee.
Supper: Double choc chip Fairtrade cookie; coffee.
Tuesday, 24 February 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment