When storing passwords, the golden rule is to not store them in plain text. PHP provides several functions to hash the passwords.
md5() and sha1()
Hashing algorithms such as MD5 and SHA1 are very fast and efficient. Unfortunately with modern computers, it has become trivial to “brute force” the output of these algorithms to determine …
Cross Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
URLs on websites can sometimes reflect the actions that they perform. …
Display Errors
Unless you are in a closed development state, there are certain configuration directive that should be disabled for security reasons. The “display_errors” directive should be disabled, and all error messages should be passed to system log files using the “log_errors” directive.
This prevents your environment from presenting sensitive information to the public.
You …
Session management is core of web security. Users should ensure that several practices are in place to protect against session identity theft.
There are a couple of ways that session security can be compromised:
Session Hijacking- When the session ID is stolen and it is the sole authentication of the website.
Session Fixation – …