If we intend to make a secure system, we might want to take a look a the CIA model of security. What? the CIA? I don’t want any trouble with the USA government. Well not that type of CIA, I’m talking about the acronym for the three key principles that provide the security in the word information security.
(I’ll land some of this concepts through php, a server side programming language where security is serious business, mainly because I’m currently learning and it will help me “study” and hey I warn you its very basic php so don’t ).
Give me a C of…. Confidentiality
Basically, protecting information from people who is not supposed to see it (well isnt is obvious?). This is the most common way of attacks and when It happens it is called a breach. Encryption methods can come to the rescue though 🙂
In php there are several “super globals” that cannot be trusted when making a serious web application, some of them are:
$_REQUEST.. and others. These are variables that are always accessible no matter the context so avoid them.
Also, don’t ever use POST for sensitive information.
Ensuring that data becomes unchangeable or does not become altered by someone who is not supposed to change it. Some attacks intercept messages and alter them before the message gets to the recipient.
Another tip for preventing session hijacking in php is to store the session as the client ip address by calling getenv ( “REMOTE_ADDR” )
Information must be accessible or visible to the ones meant to see it (previously authorized users).
A way to ensure this trough php is via two way encryption (login and files). I don’t really know how to do that so that’s all I am saying 🙂