after 23 years you should know where the PHP documentation is. read it. session_regenerate_id just generates a new ID. It is by no means any more secure or fancier than the ID you started with. Generating a new ID, e.g. after login, is a good measure against session fixation though. But the explanation in the video is just wrong. Same for the strict_mode.
Hello Dani, thanks for all your amazing videos. Can you please, do a full course on laravel? I've seen tones of videos on youtube on laravel and I feel I'll get a better understanding if you taught the course. I am really looking forward to it. Gracias
tomorrow i have my first technical interview on a junior php dev job offer, since i just finished my studies. i am obviously not prepared for that and will take it as an interesting experience - i am not very proficient at php and i spent most of my previous days panicking and procastinating. anyways, your recent videos have been very helpful and in time, thank you
11:02 hey there, if i use these security configurations, do i have to fire them again when i want to use session information from a php file called by ajax?
We did cover a bit of XSS protection earlier in this course, but you are right about there not being a "XSS specific lesson", as well as an episode on CSRF protection. 🙂 Before getting into more security, I'd like to create a small exercise video to get people more comfortable with what we have learned up until now. Maybe even put security on hold for a few videos, since some complete beginners may find it overwhelming, when too much security is being covered right after one another. 🙂
@@Dani_Krossing Hi, yes it best learning doing something with specific context. Now, i didn't see all previous videos of this series, but i think is missing show alternative syntax of control flow like if, "foreach" , etc and as well as separate business logic from presentation (html).
Would you say it's dangerous after following these precautions to use a user "role" passed through session to identify which part of a multi_auth a user has access to? if so I can't think of another way to do it. I'd love your input.
One trick, is not to use the sessions as you've defined. Meaning, create two or three hidden keys, which define the current session, which will eventually expire.
@@RMadaraPlay Let the backend maintain the "session", by keeping some keys, defining the session, in a db, or even text files. Then have other sessions, or a cron job define when the session is up, and go delete the keys. The front end, gets the keys, via hidden fields. Therefore, you can also have finer control, even controlling how many sessions a user can have, etc. Or assert that the user has actually gotten somewhere validly.
Members have access to my lesson notes, as well as the option to download my lesson videos for offline use. 🙂 As well as simply support what I do here on RUclips, to help me continue to make lessons.
will this file run each time the page opens or is refreshed? in other words, this code will refresh the session id every 30 minutes, but only if the page is refreshed? Thanks in advance.
like that you make Procedural PHP series for 2023, i wish you make a real world projects with Procedural PHP and vanilla js, i am so tired of try to learn complex frameworks, and OOP MVC, etc, where to find something is split inside files inside files.... Thank you!
Procedural PHP is always great for learning the fundamentals thoroughly 🙂 it’s just important to remember, that it isn’t practical to use PHP procedurally in real life projects, unless we are talking about just implementing a very basic feature. So if a person just wants to learn PHP for their own sake, then Procedural is great. But professionally, it is mandatory to learn OOP PHP, as well as at least one framework. 🙂
Did not understand how this config page will be triggered I mean for the session id to be regenerated after certain interval of time, it must be checked multiple times right? Like once the if condition fails, we should come back after certain time right and how are we coming back? Who is making sure to trigger the config file ?
It triggers every time the user visits any page (assuming you included it on every page). So if a person doesn't visit for 6 months, as soon as they do . . . the page will trigger the math and regenerate. If a user is on your page for an hour (clicking around) as soon as the time is up, it will trigger regenerating their id.
Does this also apply when php is only an api ? Context: i have to make request to the backend in php, but me front-end is nextjs, session id comes from php, but cookie management is from nextjs, is that alright ?
First of all, that's not at all a bad video. A small remark would be that session_regenerate_id a priori should only be called at the authentication transitions (for else an attacker may also lock the real user out) and possibly periodically, and I don't think it influences the complexity of the actual session ID itself, but only makes a new one. Don't hurt me dude!
Yes, Laravel has built-in functionality to protect sessions, which means you don't need to manually implement most of the example code. Laravel uses the Laravel Session component for session management, which offers the following features: CSRF protection: Laravel automatically generates and validates a CSRF token for all forms, which prevents CSRF attacks. Session encryption: Laravel encrypts session data, preventing unauthorized reading. Access restriction: Laravel allows you to define which users have access to sessions and configuration settings. Adjustable session duration: Laravel allows you to set session duration and auto-timeout. Session ID regeneration: Laravel offers easy session ID regeneration, which helps prevent session hijacking. In addition to the built-in functionality, Laravel also offers a number of packages and tools to further improve session security, such as: Laravel-Session-Hijacking-Prevention: Additional protection against session hijacking. Laravel-Secure-Sessions: Extended functionality for securing sessions. In short, Laravel offers comprehensive session protection and does not require manual implementation of most of the example code. Using the packages and tools available in the Laravel ecosystem can further improve the security of your sessions. Additional notes: Laravel uses the config/session.php file to configure sessions. Laravel automatically loads configuration files, so you don't need to use require_once. Laravel also offers a number of helper functions for working with sessions, such as session(), auth(), csrf_token().
@@dragansimeunovic4176 That sounds amazing. As a new PHP dev I am going to have to stay away from Laravel for a while so I can get a better grasp on how things work in the background.
Old dog (23 years of PHP coding) learned a new trick with the regenerate offering a more secure version. Thanks.
after 23 years you should know where the PHP documentation is. read it. session_regenerate_id just generates a new ID. It is by no means any more secure or fancier than the ID you started with. Generating a new ID, e.g. after login, is a good measure against session fixation though. But the explanation in the video is just wrong. Same for the strict_mode.
@@RoterFruchtZwerg would it not still be more secure given the fact it's an entirely new id? Where is all this hostility coming from?
And here we go making our website more and more secure with every passing session.
Thanks, as always. V glad I found your channel.
awesome video sir
thank you for being such an amazing teacher
Excellent tutorial thank you
Hello Dani, thanks for all your amazing videos. Can you please, do a full course on laravel? I've seen tones of videos on youtube on laravel and I feel I'll get a better understanding if you taught the course. I am really looking forward to it. Gracias
I feel the same way, he should do that.
waiting for this
Great video. Appreciated.
You're a good teacher. Keep doing the good job!
you showed me a lot of things, I am new. BTW you are a fantastic speaker! Thanks!!!
Laravel tutorial please. You explain very well
Can you make us a long episode talking about all security mesures we could take please?
meget tak.
Lambda is a naming convenience
tomorrow i have my first technical interview on a junior php dev job offer, since i just finished my studies. i am obviously not prepared for that and will take it as an interesting experience - i am not very proficient at php and i spent most of my previous days panicking and procastinating. anyways, your recent videos have been very helpful and in time, thank you
I’m glad you found the videos helpful. Good luck on the interview! 🙂
Thank you
You are real Dan
Iam first
Dani thanks
If want make result system, have to create table for both level in the database, and if you view it too using php
first woohoo!
nvm i'm second 😢
❤❤❤
11:02 hey there, if i use these security configurations, do i have to fire them again when i want to use session information from a php file called by ajax?
Hi, great tips but still missing about csrf. and xss ( when outputting something) in php. ;)
We did cover a bit of XSS protection earlier in this course, but you are right about there not being a "XSS specific lesson", as well as an episode on CSRF protection. 🙂
Before getting into more security, I'd like to create a small exercise video to get people more comfortable with what we have learned up until now. Maybe even put security on hold for a few videos, since some complete beginners may find it overwhelming, when too much security is being covered right after one another. 🙂
@@Dani_Krossing Hi, yes it best learning doing something with specific context.
Now, i didn't see all previous videos of this series, but i think is missing show alternative syntax of control flow like if, "foreach" , etc and as well as separate business logic from presentation (html).
Would you say it's dangerous after following these precautions to use a user "role" passed through session to identify which part of a multi_auth a user has access to? if so I can't think of another way to do it. I'd love your input.
One trick, is not to use the sessions as you've defined. Meaning, create two or three hidden keys, which define the current session, which will eventually expire.
How to do that?
@@RMadaraPlay Let the backend maintain the "session", by keeping some keys, defining the session, in a db, or even text files. Then have other sessions, or a cron job define when the session is up, and go delete the keys. The front end, gets the keys, via hidden fields. Therefore, you can also have finer control, even controlling how many sessions a user can have, etc. Or assert that the user has actually gotten somewhere validly.
@@normbograham lot of words I don't understand, I'm a beginner on PhP, a shame Dani doesn't make videos anymore
Can u make a video about your membership, like what can i when i have a membership=
Members have access to my lesson notes, as well as the option to download my lesson videos for offline use. 🙂 As well as simply support what I do here on RUclips, to help me continue to make lessons.
@@Dani_Krossing Legend, wednesday i join your membership! I like ur videos about HTML & CSS i learn more then at school. thank you very much!!!
Hi Dani I just become the member for your youtube channel to get the material but I can't find it. Do I need to do patreon instead?
🥰
will this file run each time the page opens or is refreshed? in other words, this code will refresh the session id every 30 minutes, but only if the page is refreshed? Thanks in advance.
like that you make Procedural PHP series for 2023, i wish you make a real world projects with Procedural PHP and vanilla js, i am so tired of try to learn complex frameworks, and OOP MVC, etc, where to find something is split inside files inside files.... Thank you!
Procedural PHP is always great for learning the fundamentals thoroughly 🙂 it’s just important to remember, that it isn’t practical to use PHP procedurally in real life projects, unless we are talking about just implementing a very basic feature.
So if a person just wants to learn PHP for their own sake, then Procedural is great. But professionally, it is mandatory to learn OOP PHP, as well as at least one framework. 🙂
Did not understand how this config page will be triggered I mean for the session id to be regenerated after certain interval of time, it must be checked multiple times right? Like once the if condition fails, we should come back after certain time right and how are we coming back? Who is making sure to trigger the config file ?
It triggers every time the user visits any page (assuming you included it on every page). So if a person doesn't visit for 6 months, as soon as they do . . . the page will trigger the math and regenerate. If a user is on your page for an hour (clicking around) as soon as the time is up, it will trigger regenerating their id.
@@RaymondWade Was just looking for this same answer. Thanks for taking the time to explain. Much love.
Does this also apply when php is only an api ? Context: i have to make request to the backend in php, but me front-end is nextjs, session id comes from php, but cookie management is from nextjs, is that alright ?
First of all, that's not at all a bad video. A small remark would be that session_regenerate_id a priori should only be called at the authentication transitions (for else an attacker may also lock the real user out) and possibly periodically, and I don't think it influences the complexity of the actual session ID itself, but only makes a new one.
Don't hurt me dude!
I haven't tried it, but in theory ini_set('session.sid_length', 256); should do.
Kutokea Tanzania nimeelewa vyema
I shaved my head like you 😁
Laravel already use all of that?
Yes, Laravel has built-in functionality to protect sessions, which means you don't need to manually implement most of the example code. Laravel uses the Laravel Session component for session management, which offers the following features:
CSRF protection: Laravel automatically generates and validates a CSRF token for all forms, which prevents CSRF attacks.
Session encryption: Laravel encrypts session data, preventing unauthorized reading.
Access restriction: Laravel allows you to define which users have access to sessions and configuration settings.
Adjustable session duration: Laravel allows you to set session duration and auto-timeout.
Session ID regeneration: Laravel offers easy session ID regeneration, which helps prevent session hijacking.
In addition to the built-in functionality, Laravel also offers a number of packages and tools to further improve session security, such as:
Laravel-Session-Hijacking-Prevention: Additional protection against session hijacking.
Laravel-Secure-Sessions: Extended functionality for securing sessions.
In short, Laravel offers comprehensive session protection and does not require manual implementation of most of the example code. Using the packages and tools available in the Laravel ecosystem can further improve the security of your sessions.
Additional notes:
Laravel uses the config/session.php file to configure sessions.
Laravel automatically loads configuration files, so you don't need to use require_once.
Laravel also offers a number of helper functions for working with sessions, such as session(), auth(), csrf_token().
@@dragansimeunovic4176 That sounds amazing. As a new PHP dev I am going to have to stay away from Laravel for a while so I can get a better grasp on how things work in the background.
im already lost 🤨
'promo sm'