PHP Session and Password Security
Any website that has the ability to "remember" or "recognize" a visitor uses some form of _session_ management. These sessions, which have a one-to-one correspondence with a unique site visitor, often contain sensitive information including a unique session ID. Because these sessions contain sensitive data and are used to identify a specific user the sessions become a target for attackers. Most server-side languages such as PHP have rudimentary session management built into its core or is available as an official library. Unfortunately, the default session management is often insecure on its own and there is a series of steps which must be followed to protect against session hijacking, session fixation, and session predicting. Additionally, PHP recently revised the way it handles password management and this change is related to session management. This talk discusses how to improve session security and utilize the new password management features.
Elliott Post (@epost88)
Elliott Post holds his master's degree in Computer Science from Loyola University Chicago. He has almost 2 decades of programming experience and currently runs a small web development company named Ellytronic Media. Elliott also teaches computer science courses part-time at Loyola, and he is also a co-organizer of the Chicago Web Pros Meetup.