Cookies should be transferred before a web page’s HTML because they are sent as part of the headers.
To store a cookie on a web browser, use the set_cookie function.
To destroy a cookie, reissue it with set_cookie but set its expiration date to
sometime in the past.
Using HTTP authentication, both the username and password are
stored in $_SERVER['PHP_AUTH_USER']
and $_SERVER['PHP_AUTH_PW'].
The md5 function is a
powerful security measure because it is a one-way function that
converts a string to a 32-character hexadecimal number that cannot be
converted back, and is therefore almost uncrackable.
When a string is salted, extra characters (known only by the
programmer) are added to it before md5 conversion. This makes it nearly
impossible for a brute-force dictionary attack to succeed.
A PHP session is a group of variables unique to the current user.
To initiate a PHP session, use the session_start function.
Session hijacking is where a hacker somehow discovers an existing session ID and attempts to take it over.
Session fixation is the attempt to force your own session ID onto a server rather than letting it create its own.