Simon Holywell has a new post talking about cookie security in PHP, focusing on some of the PHP configuration settings that can help.

The security of session handling in PHP can easily be enhanced through the use of a few configuration settings and the addition of an SSL certificate. Whilst this topic has been covered numerous times before it still bears mentioning with a large number of PHP sites and servers having not implemented these features.

He talks about the httponly flag when setting the cookie/in the configuration, the "use only cookies" for sessions and forcing them to be "secure only".

In this new post Josh Adell looks at working with PHP sessions and how you can manually encode data to look as if it came from the normal session handling.

If you have ever popped open a PHP session file, or stored session data in a database, you may have noticed that this serialization looks very similar to the serialize function's output, but it is not the same. Recently, I needed to serialize data so that it looked like PHP session data (don't ask why; I highly suggest not doing this if it can be avoided.) It turns out, PHP has a function that encodes data in this format: session_encode.

Unfortunately, this method doesn't take arguments - it just outputs the encoded version of the current session data. So, he came up with his own encode/decode methods that use the PHP session, extract the serialized string and return it.

On SitePoint.com today they've posted the transcript of a "Talk with the Experts" session they did with Lorna Mitchell (instructor of their recent OOP sessions). The transcript includes questions and answers to those in attendance as well as some good links and advice.

Last Thursday I broke with tradition slightly and ran a Talk with the Experts session in the evening (down under), making it a bit more time-zone friendly for our UK audience. It also meant that I was able to swap my usual coffee for a wine, which probably made the session run a bit more smoothly. The subject was PHP and our expert was Lorna Mitchell, tutor of Object-oriented PHP and co-author of PHP Master: Write Cutting-edge Code.

The transcript starts with a collection of some of the links provided during the discussion and then runs through the entire conversation. There's some good advice in there, especially if you're relatively new to the world of PHP object-oriented programming.

PHPMaster.com has posted a new article with some high level security tips and reminders for PHP developers when wanting to help prevent issues with their applications. The article provides eight tips, each with a brief description.

When it comes to application security, in addition to securing your hardware and platform, you also need to write your code securely. This article will explain how to keep your application secure and less vulnerable to hacking.

The good practices they recommend include input data validation, protecting against XSS attacks, preventing SQL injections, protecting session data, proper error handling and protecting included files. There's some good reminders here, but it barely scratches the surface of effectively protecting your application. These tips are the "low hanging fruit" for securing your app, so be aware that there's more things to worry about than just these eight.

In this new tutorial on the PHPRefresher.com site, Anand Godar walks you through just about all of the session functionality that comes with PHP and includes some code snippets for explanation.

Due to the fast evolution of Web programming, the stateless nature of the HTTP protocol brought many problems to certain Web applications that required maintaining their state across several HTTP requests. This demanded a rapid development of several mechanisms aimed at tackling this issue through diverse methods. Then a session management emerged as a direct response to the above mentioned problem, and currently this mechanism is being used by PHP developers worldwide, in cases where a Web application needs to keep track of its "state" during the occurrence of different HTTP requests.

The article starts off with the basics of sessions - what they are, how they're handled and created by PHP - and moves into the specific functions and their use. He talks about starting/ending sessions, their IDs, caching, module handling and working directly with the session cookie (if it exists).

The Sunshine PHP conference has officially announced their speaker and session lists for next year's event (happening in Miami, Florida February 8th and 9th, 2013).

The event will have a wide range of topics covered including:

• Cryptography for the Average Developer
• Continuous Integration in Real Life
• Quickly Building and Deploying PHP Applications in the Cloud
• Symfony2 + EmberJS for fun and profit
• Introducing Tests in Legacy PHP Applications
• Dependency Management with Composer
• From POX to HATEOAS, Our Companies Journey to Build a Hypermedia API

Tickets are already on sale for the event - about $220 USD for the full event, $160 for a student pass.

if you've ever considered contributing to a PHP (or any other technology conference) but weren't sure about how to even get started writing up a proposal for a session, you should check out this recent post from Ben Ramsey with a good guide (and some advice experienced speakers could use too).

Earlier today, I was asked "Any tips on how to write a proposal for a major conf?" I've never shared tips on this, and since the calls for proposals for Sunshine PHP and Midwest PHP both end tomorrow, I thought it would be a good idea to share my approach to writing conference proposals. Remember those standard, five-paragraph essays you used to write in high school? Remember how you thought they sucked and wouldn't provide any practical benefit to your life? Well, it turns out they do have some redeeming qualities.

He suggests that this "five paragraph essay" format helps you not only come up with a more fleshed out, full idea but also can provide you with the abstract to submit to the conference (possibly the first paragraph). He mentions the need for a "hook" and finishing off with an opinion that's the basis of the talk. He also has a reminder of a few things - don't talk down, don't use negative language and try not to use absolutes.

On PHPMaster.com there's a continuance of a previous article about security in PHP applications talking about a few more considerations when trying to make things secure.

In a previous article, I talked about some common security vulnerabilities that can affect your PHP web application. But there are other things besides those ten (okay, seven) attacks to think about when you're developing. And so, this article offers a compendium of miscellaneous things that are security related; things you should do, things you shouldn't do, things that other people might try to do, whatever it takes to make an article long enough for my editor to be satisfied with it.

He talks some about the settings that you might need to tweak in your "php.ini" server-side configuration file, some hints on filtering data (like using filter_input) and what to watch out for with error reporting. He also mentions session fixation and the protection of user data and passwords to keep them out of the hands of would-be attackers.

The PHPBenelux conference has officially announced their tutorials (and speakers for them) for this year's event (happening January 25th and 26th in Antwerp, Belgium):

Today we are proud to present you the first speakers for PHPBenelux Conference 2013. We start by announcing our tutorial speakers and in the coming weeks we will start publishing our speakers. The people in the community once again gave us the very hard task to select the tutorials from many quality submissions, and this is what we came up with.

Tutorial sessions for this year's event include a MongoDB workshop (Derick Rethans), Git and Github: Level Up (Ben Straub) and RESTful Services Made Easy with ZF2 (Matthew Weier O'Phinney). You can get your tickets now for these tutorial days (you select the session when you buy the ticket) or just pick up your pass for the rest of the conference at the Early Bird price!

On the Ibuildings blog today they've posted the most recent episode from their recordings at the Dutch PHP Conference (2012) with Enrico Zimual's talk A Quickstart on Zend Framework 2.

In this talk we will present a simple web application built with Zend Framework 2. We will show the new features of the framework, such as the new MVC layer, the Event Manager, the Dependency Injection and much more. The aim of this talk is how to start programming with the new architecture of ZF2. Moreover, we will show the differences with the version 1 of the framework and how to migrate applications from ZF1 to ZF2.

You can listen to this latest episode either via the in-page player, by downloading the mp3 or by subscribing to get this and future episodes.