Hi I have a website going live shortly that has a very simple system whereby customers can purchase a single item from the website. I am using PHP Sessions to store the customers product, personal and bank details as they move through the site.
However I am concerned that I do not have any PHP Session security/not enough or not done properly. I have read Chris Shiflett's page on security and tried implement his methods but I really haven't been able to grasp or understand what needs to be done and I think that what I currently have in place isn't even working.
My current code is very small and only appears at the start of any page with "session_start()" and here it is:
session_start();
if (!isset($_SESSION['initiated']))
{
session_regenerate_id();
$_SESSION['initiated'] = true;
}
To be honest I really have no idea what this is doing apart from regenerating the session id if $_SESSION['initiated'] is not true.
Could someone please suggest some session security methods that I can implement into my site and any other security measures you think might be required.
Thanks in advance.
Daniel.