Quite a while ago, O'Reilly sent me a copy of my friend and colleague, Chris Shiflett's book, Essential PHP Security.
When I received it, I read through it quickly, and knew it was a good book, but didn't have much else to say about it (lest I join the ranks of the me too!ers (everyone was saying it's a good book)).
Today, I was wondering about session ID regeneration. I know it's important, but I was looking for a "best practice," or opinion on an appropriate level of session ID regeneration.
After a few quick Web searches, I remembered that I have a copy of the aforementioned book. I respect Chris' opinion on such matters, so I pulled it out of my pile.
A glance at the index shows:
session identifier
obtaining, 43
regenerating at session, 46
regenerating for change in privilege, 46
regenerating on every page, 47
Turns out page 47 contains exactly what I was looking for. It's too long to quote here, but the gist is Regenerate only on privilege escalation, not on every page. Every page works for the most part, but causes problems with the back/forward buttons, and needlessly annoys users.
Thanks, Chris!
S
I would like to point out that not everyone says it is a good book.
Only friends and colleagues or newbies think it is a good book.
People in the security industry laugh about it.
It contains even more security holes and BAD recommendations than the stripped down version aka. PHP Security Guide.
Stefan, while you may be right on some accounts, I would be much more inclined to listen to your opinion if you didn't have a reputation of launching personal attacks against Chris.
That is all. (-:
S
Oh come on this LIE is getting old.
Let's not forget that it is Shiflett who launches personal attacks against my person.
When I said something against him it was based on fact, his malicious manipulation of Wikipedia entries, flaws in his pseudo security guide, ...
He on the other side removes my comments in his blog, calls me unprofessional on mailinglists, and writes ridiculous blogentries his blog about me being to dumb to understand his examples, when I disclose security holes in his guide.
So please stop twisting facts. He attacked me several times in a very unprofessional way, not the other way around.
Hi Sean,
Glad to hear the book came in handy. :-)
Regarding Stefan, I know his attacks are incessant, but that doesn't mean he's right every once in a while. I'm not sure what you mean by "you may be right on some accounts," but hopefully not that.
I ignore him, and I'm sure I don't miss anything important.
Unfortunately, I happen upon his comments in someone's blog every once in a while (perhaps because he never passes up an opportunity to attack me), and I feel the need to dispel his lies once again.
[quote]Only friends and colleagues or newbies think it is a good book.[/quote]
I must know and work with [url=http://phpsecurity.org/reviews]a lot of people[/url].
Of course, most of the people Stefan dismisses as friends and colleagues of mine are people I've gotten to know through my involvement in the PHP and web application security communities (e.g., people whose opinions are relevant).
[quote]People in the security industry laugh about it.[/quote]
Hollow claims are nothing new. Perhaps he means experts like Ivan Ristic (mod_security), Jeremiah Grossman (WASC), and Andrew van der Stock (OWASP)? I would value their honest feedback. These are smart, respectable people.
[quote]Let's not forget that it is Shiflett who launches personal attacks against my person.[/quote]
As far as I can tell, the only thing I've done is point out an error in Stefan's comprehension of CSRF (a topic he still struggles with, based on [url=http://shiflett.org/blog/2007/apr/javascript-hijacking#comment-4]a recent comment[/url]), and this was a few years ago. I'm also not the only one who has [url=http://jeremiahgrossman.blogspot.com/2006/09/csrf-sleeping-giant.html#c115980410702861838]done so[/url]. If that's considered a personal attack, I'm surprised he treats others so poorly. Treat others as you would have them treat you?
Hi Chris,
[quote]Regarding Stefan, I know his attacks are incessant, but that doesn't mean he's right every once in a while. I'm not sure what you mean by "you may be right on some accounts," but hopefully not that.[/quote]
All I meant is that I haven't taken the time to sift through the drivel and figure out if he's ever actually come up with a valid criticism. Even if he did, I'd take it with a huge grain of salt, considering the past tone of blog posts from his site. Even then, if you look hard enough, you can find mistakes in anyone's work. The real problem is when people stand by their bad science. With you, I'm not concerned.
Short version: I can't say on good authority that he's never been right. I didn't want to get called out if I was even the slightest bit out of line.
I certainly wouldn't want to be labeled as a "[url=http://twitter.com/s_esser][person] who maliciously attack[s] [him][/url]" (even though my reply above probably earned me a spot on the list).
S
[quote]It contains even more security holes and BAD recommendations than the stripped down version aka. PHP Security Guide.[/quote]
I wanted to buy this book: could you elaborate on these security holes? I only found one blog entry regarding one hole.
Good night Stefan - do you just follow around any blog entry about Chris to post your childish rants? Get a life and a clue. I used to have respect for Stefan, hardened php, etc - until I see his childish rants all over the place. Are we in grade school again?
I read this book a while back and found it helpful. I think that Chris should print an updated version - but it is still good nonetheless.
Who need reality tv when we have a live all-year-long show.
Good work Chris.