Hi I have a website going live shortly that has a very simple system whereby customers can purchase a single item from the website. I am using PHP Sessions to store the customers product, personal and bank details as they move through the site.
However I am concerned that I do not have any PHP Session security/not enough or not done properly. I have read Chris Shiflett's page on security and tried implement his methods but I really haven't been able to grasp or understand what needs to be done and I think that what I currently have in place isn't even working.
My current code is very small and only appears at the start of any page with "session_start()" and here it is:
session_start();
if (!isset($_SESSION['initiated']))
{
session_regenerate_id();
$_SESSION['initiated'] = true;
}
To be honest I really have no idea what this is doing apart from regenerating the session id if $_SESSION['initiated'] is not true.
Could someone please suggest some session security methods that I can implement into my site and any other security measures you think might be required.
Thanks in advance.
Daniel.
Your code is wrong I don't see why you wrote this way.
your logic on first request:
if not exists create session_id
if user appears first time
generate new session_id
save initiated = true
show your page with initiated = true
second request appears:
show your page with initiated = true
any visit initiated = true and same session_id. so initiated all the time will be same true if it is first, second, third.. visit
so your code does only one thing: on the first visit generates two session_id and saves initiated = true this don't provide any security.
you should create user system and then save items what user purchased or something similar
UPDATE
You can ask customer his email address and then send confirmation to email, save email and product id in database so one email one product.
yes customer can create second email and try to buy one more but sessions also can be manipulated just remove session cookie or restart browser and you can go buy one more time..
This would check if a session already exists ($_SESSION['initiated'] == TRUE). And if it does not, it would create one. The PHP Session store the session information onto the server so it is secure enough.