Security Policy

Posted by santosj on October 26, 2005

Sessions

Sessions be stored on the server or in SQLite and if stored in cookies, then use of encryption of the values should be used. The reasoning behind not using cookies is that the user could change the value and gain access to an user that the person isn’t supposed to be. This could be the hacks used to gain access to the old Mecha Warz game site. I could add the fix to the game site, but I don’t really want to do it at this time.

    session_save_path($path)

This function should be used to keep cookies from being used. It should be set to a level below the web directory to keep hackers from viewing the contents. Once that is done, then the session data won’t have to be encrypted.

    session_set_save_handler()

Can be used to further the security to use SQLite or MySQL. I would rather use SQLite, since the MySQL handler that I built had some problems with keeping the old data.

Forms

There should be a hidden value added to every form, to keep XSS attacks from occurring. The value will be generated at the signin. It should then be regenerated every five minutes to further the security, in case the hacker signs in and then use their own form generated and use that form.

    Negative Numbers

I can’t really think of any reason to allow negative values in the game. If there is a reason, then there should be a function to allow for that.

    Checking the Form Input Type

If the input is supposed to be a number then the type should be check for the integer type. If the type is supposed to be something else, then check to see if it has any thing that could be used for SQL injection or other harmful tactics.

If the type is supposed to be from a defined set, then check for that also. It could take a little more time, but it would save a lot of headache in the future.

Encryption

The Key and Message should be randomized keys and stored at every session for the entire session (check to see if it works). The key and message would then be used for encryption of the other values that need to be decrpyted, such as form names and values.

Possibly Related Posts:


Game Engine

Comments are closed.