Your host also should take care of some points.
Should never allow the warning or error messages to display the full path of the server. If your script sending some error message along with the file name if path is exposed then hacker will get a idea of session dirctory and other sites hosted in the same server. I have seen one host showing this.
If you are allowing members to sign up, then only allow numbers or letters. One of my client once asked me to add this check in signup form as this allows hackers to use sysmbls like / , ? etc and get some info on the server , directory etc.. I don't know how this works.
Life of the session ID is important and it should not last for more than some few minutes if the browser is in no contact with the server.
|