If you’re developing a Symfony 1.2.8 (and possibly other older releases) application with PHP 5.3.0 you won’t be able to use the sfValidatorFile with mime_categories set to web_images without changing Symfony code. Was that really English? Since PHP 5.3.0 finfo will return charset information with the mime type. See more about this change in this php bug report.

If you try to use web_images, the validator will fail on images it should accept with an error like: “Invalid mime type (image/gif; charset=binary).”

As a work around until this is fixed, you can change your file validator to something like this:  Read more...

Back to Part 2

——-

The HTTPS session is the “authority” session, and due to authenticity tests will not accept the HTTP session data as being “valid” as it doesn’t contain the correct information that an HTTPS session data file contains. So while it may still be possible for a user to hi-jack the HTTP session, it’s not possible for them to gain access to another users account or personal information by tampering with the HTTP headers and sending someone’s session id, because once they hit a page or perform an operation which pushes them to the HTTPS website, they immediately become logged out, and any personal information is cleared from the session data. For a user to hi-jack another visitors HTTPS session they’d need to have the ability “sniff” the secure session id, which is sent over the network in an encrypted fashion and is very unlikely – which is just as safe as always using HTTPS.  Read more...