Spiga

Microsoft tries BrowserRank to replace Google PageRank

A research paper BrowseRank: Letting Web Users Vote for Page Importance delivered at a conference in Singapore this week, highlights Microsoft Asia Research's alternative to Google's PageRank algorithm, BrowserRank - "The more visits of the page made by the users and the longer time periods spent by the users on the page, the more likely the page is important. We can leverage hundreds of millions of users' implicit voting on page importance,".

Microsoft BrowserRank

The new process, in theory, ranks sites based on their usage, and user behavior patterns. Google's algorithmic stew for rankings remains a great mystery, and an ever changing set of goalposts that are constantly gamed by companies looking to leverage search results to drive traffic, and drive revenues. Microsoft sees Google's strength in this regard as being its weakness, too, arguing that web developers have many opportunities to influence the ranking system, unfairly. BrowserRank, on the other hand, would actually try and take a look at user behavior on a site, Microsoft arguing that the more people are engaged by a site, the more likely it is that it has relevance.

Search is of tremendous importance to the Internet for many reasons. For one thing, search engines are highly influential middlemen that steer users to Web sites they may not be able to find on their own. For another, queries typed into search engines can be powerful -- and in Google's case highly profitable -- indications of what type of advertisement to place next to the search results.

But Microsoft lags leader Google and No. 2 Yahoo in search. It's trying hard to catch up, for example with unsuccessful proposals to acquire Yahoo or its search business that would cost the company billions of dollars. And Microsoft just bought search start-up Powerset.

Google isn't putting all its eggs in the PageRank basket, though.

"It's important to keep in mind that PageRank is just one of more than 200 signals we use to determine the ranking of a Web site," the company said in a statement. "Search remains at the core of everything Google does, and we are always working to improve it."

Pizza - the Top Trend Mobile Search

V-Enable, a voice-enabled mobile 411 system, conducted a study by taking a random sampling of 20,000 searches in major metropolitan areas from customers of several V-Enable partner carriers including Alltel and MetroPCS. The findings clearly represent interesting trends caused by the recession. For one thing, people are eating more pizza! The results for the top restaurant searches for the period between October 2007 and June 2008 are:

1. Pizza Hut
2. McDonald’s
3. Domino’s Pizza
4. Starbucks
5. Papa John’s Pizza
6. Little Caesars Pizza
7. Taco Bell
8. Burger King
9. Wendy’s
10. Denny’s


Sit-down restaurants like Olive Garden, Applebee’s and Red Lobster, have dropped off the list, while recession-proof comfort food like Pizza Hut and Domino’s shoot to the top of the list. 380% more searches for Pizza Hut have been conducted during the period, and searches for Domino’s Pizza have increased 980%. High gas prices are keeping people at home ordering in, and they are opting for cheaper alternatives. Financial analysts have explored this area extensively, and have deemed several of these restaurant chains "recession-proof stocks."


There are several other search-related economic indicators from V-Enable. U-Haul, a company that was never on any top 50 list, jumped to #23 in general search, possibly because of a rise in foreclosures. Macy’s dropped from #17 to #49 in retail, a direct correlation to the fact that people just don’t have the discretionary income that they used to. Motel 6 has never showed up on a top 50 list, but they are now #37 in general search, quite possibly because travelers can’t afford the costly alternatives. Mobile search happens in real-time and is unaffected by SEO, making these statistics arguably more reflective of consumer sentiment than web search.


V-Enable is a mobile information system, where users can speak the name of a restaurant or residential listing and receive location and contact information. The company also has live operators working behind the scenes so that users can call and get human assistance, if necessary. V-Enable sent us similar retail statistics in December. The company is backed by $10.1 million over 3 rounds from Siemens Mobile Acceleration Corporation, Sorrento Ventures, SoftBank Capital and Palisades Ventures.


credit : techcrunch

Google Search Tips - part1

1. Google can be your phone book. Type the person's name, city and state directly into the search box, Google will deliver phone and address at the top of the results. This feature works for business listing too.

      Google can also work as the reverse directory; if you have phone number, type in the search box, and google will deliver the results that matches the phone number.

2. Google can be your calculator. Type a math problem into the search box and google will compute and display the result. You can spell out the equation in words (one plus one, six divided by two), use numbers and symbols (4*5,6/2), or type in a combination of both (ten million *pi, 15% of six).

3. Longer queries is better, but shorter is okay. Google is designed to deliver high quality result even if you are searching for one or two word queries, so its better to keep your search short. But adding a few more words will yield better result.

     For Example : When you are searching information on applying to colleges, include the word admissions after the name of the university you are searching to get more relevent results.

4. Use quotation marks when precision matters. Typing "the truth of linux" into the google search box will yield Web pages about the linux truth - but leaving off the quotes will produce an assortment of unrelated pages.

     The reason behind this : adding quote marks around the search query tells google to look for occurrences of the exact phrase as it was typed. That makes quote marks especially helpful when searching for song lyrics, people's name or expressions such as "to be or not to be" that include very common words.

5. Google can be your dictionary. Type define followed by any English word into the search box, and google will deliver a quick definition at the top of the result.

6. Forgot plural. Google automatically search for all the stems of a word , so you don't need to do separate searches for sleep, sleeps, sleeping. Just type one of the words into the search box, and google will take care of the rest, giving you results all in one list.

Next Post : Google Search Tips - part2

Google's Bigtable

 Big Table is an ongoing research project to create a structured database that will operate in a distributed environment. It is a distributed storage system for managing structured data that is designed to scale to a very large size: petabytes of data across thousands of commodity servers.

It is like a spreadsheet with hugh limitless rows and columns, each rows will be identified by key. It is different from traditional Hierarchy Database where it will have lot of tables and each table will be linked by keys. BigTable will have only one table with limitless rows and columns. We can perform joins, sub selects and other queries in bigtable similar to Traditional hierarchial tables, but in a different way.

Many projects at Google store data in Bigtable, including web indexing, Google Earth, and Google Finance.Bigtable has successfully provided a flexible, high-performance solution for all of these Google products.

Eight Reasons for Linux OS Is Like a Religion

1. Christianity has Jesus as Lord and Savior. Linux has Linus Torvalds.

2. Jesus Christ was followed by the disciples, while Linux Torvalds was assisted by the original programmers.

3.  Christianity has different Denominations. Linux has Distributions.

4. Accepting Jesus as your savior saves you from the fires of hell and demons, while installing Linux on your computer will protect you from the hell of data loss, viruses, and malware.

5. Christianity views Satan as the being of ultimate evil, while Linux perceives Bill Gates as the Evil One.

6. Linux is defined by its source code, while Christianity follows the Bible.

7. Christianity offers salvation for no cost at all other than the occasional tithe and charity donation. Linux is also free with only the occasional shipping charge or support fee.

8. Religious folks are instructed to go out into the world and teach others the good news. Linux users also do their part in converting those that have been drawn in to the evil darkness of Microsoft.

Credit : divinecaroline.com

Benefits Of Adobe AIR

With the Adobe® AIR™ runtime, you can deliver branded rich Internet applications (RIAs) on the desktop that give you a closer connection to your customer.

Adobe AIR uses the same proven, cost-effective technologies used to build web applications, so development and deployment is rapid and low risk. You can use your existing web development resources to create engaging, branded applications that run on all major desktop operating systems.

The benefits are extensive. By using Adobe AIR as part of your RIA strategy, you can boost productivity, extend your market reach, enhance customer satisfaction, improve customer retention, lower costs, and increase profits.

Business Benefits


Companies like eBay, AOL, and NASDAQ are already using Adobe AIR to deliver engaging RIAs to their users' desktops. With Adobe AIR, you can:
  • Establish a more persistent connection with existing customers.
  • Deliver fully branded experiences with desktop functionality.
  • Leverage existing personnel, processes, and infrastructure.
  • Develop and deliver RIAs efficiently using proven Adobe technology.
  • Increase the ROI of your web investments.
If you have any AIR Usage Benefits, please share with us through comment.

Preventing Phishing attacks

Phishing Attack


Phishing is a type of attack wherein the attacker impersonates a valid site and steals sensitive information entered by the customer on the fake site.

The attacker sends the victim a forged e-mail having the link of a fake page. The fake page looks exactly like a valid page of the original site. These e-mails have upsetting or exciting (but false) statements to get the customer to react immediately. When the customer clicks the link, he is asked to provide his credentials to login and update his personal information. This reveals important information to the attackers.

Steps to prevent these Attack


The best way to prevent phishing attacks is by creating customer awareness. Some important points that need to be communicated to the customers includes:

1.  Organizations should constantly remind their customers that they will never request for sensitive information via e-mails. Moreover all email communications should address the customer by first and last name.

2.  Customers need to be educated not to click on URL of critical website (e.g. Internet banking website) that comes via email but visit these websites by directly typing the address in the browser.

3. Customers should be educated on identifying secure websites, like https in URL or ‘Lock’ icon, before submitting username, password, credit card number and other sensitive information.

4. Customers should be educated about choosing strong passwords and the importance of changing them regularly.  How to choose a Strong Password

5. Customers should be educated to be suspicious of any e-mail with urgent request for personal information.

6. Customers should be provided with easy methods to report phishing incidents.

if you have any other steps to prevent phishing attacks, please share with us by comments.

Predictions for Next Gen iPhone

iphone 3G
The latest shiny new iPhone with its super fast 3G web browsing is here and selling out fast – but that may in part be due to low initial stocks in the stores as well as consumer demand. The launch was not smooth with problems in the USA with AT&T activation server crashes and with O2 in the UK causing Gizmodo to call the event “iPocalypse”. But, dispite the problems, Apple are already claiming to have sold 1 million iPhones over Friday, Saturday and Sunday – higher than expected and over 7 days less than the first release – but then they had 28 operators in 22 countries this time.

Time will tell if this new model, with its new features and lower prices will deliver the success that Apple initially planned. Like many other people this weekend, I found myself testing out the latest iPhone features in the local store… The prospect of super-fast browsing on a large mult-touch screen and the promise of upcoming TomTom navigation using the new GPS capabilities is very tempting – probably a good job they had none in stock.

So is that it for Apple? Do they have the perfect phone? Well, of course not – there are plenty of niggles and many things they should be looking at for their seemingly annual phone release, especially with new versions of Microsoft Mobile and the new Google Android looming on the horizon. The new App Store is a great start and will give customers a steady fix of new iPhone goodness until the next big release. It opens the opportunities for third parties to start filling the gaps by adding more value (hurry up TomTom).

Last year I was predicting that Santa Jobs would deliver GPS and 3G, but like many others I was also asking for a decent camera. This seems to be the most obvious omission from the new device, especially since we are seeing 5 megapixels fast becoming the standard. We are even seeing a few 8 megapixel super-shooters and even entry level phones are coming with 3.2 megapixels these days. This makes the 2 measlypixel Apple a clear year out of date right from the start. I wouldn’t mind the low pixel count if the quality was good, but so far many sites are reporting low quality too compared with other mass market handsets. So prediction number 1 would be that 5 megapixel camera with auto-focus and flash – perhaps with face recognition for exposure and focus.

Read more>>

Top 5 Reasons to love iphone 3G

iphone 3G
After finally getting my iPhone 3G ,I spent most of my time playing with the Apps and App Store. It’s early days but there already some amazing Apps available for the iPhone. This list features top 5 reasons to love or live with iphone 3G.

1. Looks (and feels) amazing

Whatever you think of the feature set, and the chances of your fat fingers destroying that shiny big screen, the iPhone looks amazing, and it probably feels amazing in the palm of your hand, too. It's sleek, curvy, bright and shiny , slim and sexy, with on-screen icons and buttons that just ooze and drip class.

2. Touch screen

That touchscreen is a mixed blessing. Fingers are messy things (some people's more than others) and sweeping and tapping them all over a glossy screen is sure to take its toll eventually. Plus, fingers are much fatter than a stylus, so you can't help but obscure what you're interacting with. You'll also have to invest in your own screen protection, as first-generation iPhone doesn't have its own.

3. iPod

With its beautiful 3.5-inch widescreen display and Multi-Touch controls, iPhone is also one amazing iPod. Browse your music in Cover Flow and watch widescreen video with the touch of a finger.

Scroll through songs, artists, albums, and playlists with a flick. Browse your music library by album artwork using Cover Flow. Even view song lyrics that you’ve added to your library in iTunes. Get a call while listening to music? A pinch of the microphone on your iPhone headset pauses the tune and answers the call.

4. Wi-fi

Of course wi-fi isn't everywhere, but it's increasingly easy to hook up to the Internet at home and work, as well as plenty of other places: cafés, libraries, and urban hotspots. iPhone certainly isn't the only handset to include it, but it's a great addition.

5. Third party Applications

iphone 3G provides lot of third party apps to users.here are the most favorite third party apps.
  • FileMagnet
  • Shazam
  • Vicinity
  • Things
  • OmniFocus
  • Twitterific
  • NetNewsWire
  • Remote
  • Super Monkeyball
  • Cube Runner
please share your comments for 'why you love iphone 3G?'.

The Web's Future is in Personalization, Not in Search

At the Next Web conference in Amsterdam over the weekend, Tapan Bhat, the Yahoo! vice president of Front Doors, told attendees that search would not dominate the web in the future. "The future of the web is about personalization. Where search was dominant, now the web is about 'me.' It's about weaving the web together in a way that is smart and personalized for the user," he said.

Interestingly, Google appears to have similar ideas. A couple of weeks ago, Google's CEO Eric Schmidt told the Financial Times that personalization was a key area of research for Google. "We are very early in the total information we have within Google. The algorithms will get better and we will get better at personalization," he said. "The goal is to enable Google users to be able to ask the question such as ‘What shall I do tomorrow?’ and ‘What job shall I take?’"

Both Google and Yahoo! are hoping to take data about user behavior aggregated from across their properties (think: search history, del.icio.us bookmarks, Flickr photos, Upcoming events, Answers questions, etc.) in order to learn more about what each user wants. The ultimate goal is to deliver a more personalized experience to the user.

Privacy fears aside, if Google and Yahoo! are right, and personalization is where the web is headed, then Google might be more vulnerable than anyone thinks. According to Compete, the stickiest site on the web -- the one that demands most of our attention -- is MySpace, followed by Yahoo! and eBay. Google is actually 5th (based on February 2007 numbers). Facebook, which was 8th in February according to Compete, is likely to make a big push as their new platform adds more useful applications for users, giving them less of a reason to ever leave the site.

Why is attention important? Because the more time you have to interact with users, the more chance you have to gather information about them. The more information you have about them, the more useful and personalized you can make your service and the better you can target advertising and capture a users' ecommerce spending. If the web paradigm is indeed shifting from search to personalization, then it would appear that Yahoo! and social networking sites like MySpace and Facebook might be in a better position to take advantage of that than Google.

What do you think? Is search dead? Is personalization the next big thing? Is this a tacit admission of defeat by Yahoo! or is it visionary foresight? Who is in the best position to dominate the personalized web?.

credit : Read/Write Web

Google can crawl text in Flash files

Google has been developing a new algorithm for indexing textual content in Flash files of all kinds, from Flash menus, buttons and banners, to self-contained Flash websites. Recently, we've improved the performance of this Flash indexing algorithm by integrating Adobe's Flash Player technology.

In the past, web designers faced challenges if they chose to develop a site in Flash because the content they included was not indexable by search engines. They needed to make extra effort to ensure that their content was also presented in another way that search engines could find.

Now that we've launched our Flash indexing algorithm, web designers can expect improved visibility of their published Flash content, and you can expect to see better search results and snippets. There's more info on the Webmaster Central blog provides more technical details about the Searchable SWF integration.

iphone 3G Missing Features

iphone 3G
New and Improved iphone 3G from Apple has lot of exciting features. Here are the missing Features, hope will be available in the future version.
  • No video recording.
  • No card slot.
  • No MMS.
  • No copy&paste.
  • No voice dailing.

  • No Stereo Bluetooth.
  • No user replacable battery.
  • No more online sale and activation.
If i have missed any featues that fit in the above list, please let me know.

Mobile Flash becomes free - Adobe

Today Adobe announced a series of changes to its emerging web applications platform. The changes include:

--The next version of the mobile Flash runtime will be free of license fees. Adobe also confirmed that the mobile version of the Air runtime will be free.

--Adobe changed its licensing terms and released additional technical information that will make it easier for companies to create their own Flash-compatible products.

--The company announced a new consortium called Open Screen supporting the more open versions of Flash and Air. Members of the new group include the five leading handset companies, three mobile operators (including NTT DoCoMo and Verizon), technology vendors (including Intel, Cisco, and Qualcomm), and content companies (BBC, MTV, and NBC Universal). Google, Apple, and Microsoft are not members. It's not clear to me what the consortium members have actually agreed to do. My guess is it's mostly a political group.

Adobe said that the idea behind the announcements is to create a single consistent platform that lets developers create an application or piece of content once and run it across various types of devices and operating systems. That idea is very appealing to developers and content companies today. It was equally appealing two years ago, when then-CEO of Adobe Bruce Chizen made the exact same promise (link):

If we execute appropriately we will be the engagement platform, or the layer, on top of anything that has an LCD display, any computing device -- everything from a refrigerator to an automobile to a video game to a computer to a mobile phone.

If Adobe had made the Open Screen announcement two years ago, I think it could have caught Microsoft completely flat-footed, and Adobe might have been in a very powerful position by now. But by waiting two years, Adobe gave Microsoft advance warning and plenty of runway room to react -- so much so that ArsTechnica today called Adobe's announcement a reaction to Microsoft Silverlight (link).

Also, the most important changes appear to apply to the next version of mobile Flash and the upcoming mobile version of Air -- meaning this was in part a vaporware announcement. Even when the new runtime software ships, it will take a long time to get it integrated into mobile phones. So once again, Microsoft has a long runway to maneuver on.

Still, the changes Adobe made are very useful. There's no way Flash could have become ubiquitous in the mobile world while Adobe was still charging fees for it. The changes to the Flash license terms remove one of the biggest objections I've seen to Flash from open source advocates (link). The Flash community seems excited (link, link). And the list of supporters is impressive. Looking through the obligatory quotes attached to the Adobe release, two things stand out:

--Adobe got direct mentions of Air from ARM, Intel, SonyEricsson, Verizon, and Nokia (although Nokia promised only to explore Air, while it's on the record promising to bundle Silverlight mobile).

--The inclusion of NBC Universal in the announcement will have Adobe people chuckling because Microsoft signed up NBC to stream the Olympics online using Silverlight. So NBC is warning Microsoft not to take it for granted, and Adobe gets to stick its tongue out.

credit : Mobile Opportunity

Google ratproxy Web Application Tool

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems,insufficient XSRF and XSS defenses, and much more.

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

For more details and download ,please visit google official site here.

ratproxy

10 Linux Commands You Use More Offen

cat


cat tells the system to "concatenate" the content of a file to the standard output, usually the screen. If that file happens to be binary, the cat gets a hairball and the output can be a bit ugly. Typically, this is a noisy process as well. what is actually happening is that the cat command is scrolling the characters of the file, and the terminal is doing all it can to interpret and display the data in the file. The interpretation can include the character used to create the bell signal, which is where the noise comes from. the cat command have the following format.

  #   cat filename

cd


cd stands for change directory. You will find this command extremely useful. There are three typicla ways you can use this command
  • cd .. :    Move one directory up the directory tree.
  • cd - :   Moves to your home directory from wherever you currently are.
  • cd directory name :   Change to a specific directory. This can be directory relative to your current location or can be based on the root directory by placing the forward slash(/) before the directory name.

cp


cp command is the abbrevation for copy; therefore , this command enables to copy objects. For eg : to copy the file from file1 to file2, issue the following command.

  #   cp file1 file2

find


The find command will look in whatever directory you tell it to, as well as subdirectories under that directory, for that file specified. In the following example, the find command searches for files ending with .pl in the current directory.

  #   find *.pl

grep


The grep (global regular expression parse) command searches the object you specify for the text that you specify. The syntax for the following command.

  #   grep text file

ls


The ls command lists the contents of the directory. The format of the output is manipulated with options. In the following example, the ls command, with no options, list all unhidden files (the file that begin with a dot is a hidden file) in a alphabetical order, filling as many column as will fit in the window.

  #   ls

more


more is a filter for paging through text one screen at a time. This command can only page down through the text, as apposed to less, which can page both up and down through the text.

rm


rm is used to delete specified files. with the -r option (Warning: This can be dangerous!), rm will recursively remove files. therefore if as root, when you type rm -r , all your files will be gone. By default, rm command will not remove directories.

tar


tar is an archiving program designed to store and extract files from an archive file. This tarred file (called as tar file) can be archived to any media including a tape drive and a hard disk. the syntax for the tar command as follows

  #   tar action optional functions file(s)/director(ies).

vi


vi is an extremely powerful text editor (not to be confused with a word processor). Using vi,you can see your file on the screen (this is not the case with a line editor, for example), move from point to point in the file, and make changes. But that's where the similarities end. Cryptic commands, a frustrating user interface, and the absence of prompts can all drive you up a wall. Still, if you focus on a few basics, you'll get the job done.

If i have missed any Linux command that fit in the above list, please let me know.

Can AIR Appliations run in a Web Browser

Yes, You can test the AIR Applications in the web browser. AIR uses the same rendering engine as Apple's Safari, so that browser will provide the most accurate results (and it's available on both Mac OS X and Windows, as of version 3). Firefox, which also run on both platforms, should also work as well. Firefox has an additional benefit - its excellent Javascript debugging tools.

Although you could, theoretically, test your applications in Internet Explorer, I would advise against doing so for two reasons.

1) The Javascript may not behave the same in IE as it will in your AIR apps (this is a common Ajax Problem).

2) IE is a notoriously tricky browser that makes even Web development and testing much harder than it should be(in my opinion).

Ten Commandments of Collecting Email Addresses on Website

As anyone who runs a website these days knows, or should know, the recently enacted CAN-SPAM Act of 2003 makes it incumbent on emailers to either be able to establish a certain type of relationship with an email recipient or to adhere to certain mailing standards if no such relationship exists. Failure to do so can land one in Federal (or state) court.

However beyond that there is the court of Internet public opinion, and beyond even that is the high court of spam filters and spam blocking. Truly, you don’t want to run afoul of any of these.

The safest way to ensure that you stay on the good side of the law, and spam filters, particularly when building a list of email addresses to which you wish to send business, commercial, or other correspondence related to your website, is to follow this simple list of ten DOs and DON’Ts:

DON’Ts:


1. DON’T trap a website visitor’s email address and then add it to a mailing list without their permission.

2. DON’T use other identifying website visitor information, such as IP address, computer name, etc., to ‘reverse engineer’ or otherwise divine or guess at their email address, and then add it to a mailing list.

3. DON’T pre-check a check box which “opts in” to your mailings, requiring the visitor to uncheck it in order to not receive your mailing or be added to your mailing list.

4. DON’T be coy, cute, or evasive about what your intent and policy are with respect to any email address your visitor provides.

5. DON’T add an email address, even if freely provided, to your mailing list unless you have provided a way for the visitor to clearly indicate that they want to be added to your mailing list, and they so indicate.

DOs:


1. DO state very clearly what you will do with any email address provided by a visitor, including your privacy policy.

2. DO scrupulously adhere to what you have said you will do with their email address, and never, ever share it with someone else without their explicit permission.

3. DO collect and store, with the email address submitted, the source IP address, the date and time of the submission, and any other unique identifying information; store it along with the indication of permission the visitor has provided for you to add their address to your mailing list. I cannot stress this enough. When accused of spamming (and you will be), having this information available to refresh the memory of your accuser, and to prove to your ISP that you were not spamming them, will save your hide. An ounce of prevention here is worth a ton of trying to get off a spam blocking list without this exculpatory information.

4. DO honour opt-out requests religiously, and immediately.

5. DO pick up ISIPP’s CAN-SPAM Compliance Pack, chock full of practical advice and tips, and even audio speeches from lawyers from the FTC and a major ISP, to make sure that you get, are, and remain CAN-SPAM compliant. If not that, at least pick up their CAN-SPAM and You: Emailing Under the Law eBook.

Tips for improving your Web security

Here are a handful specific techniques for improving your Web security.
  • Make it your job to study, follow, and abide by security recommendations.
  • Don’t use user-supplied names for uploaded files.
  • Watch how database references are used. For example, if a person’s user ID is their primary key from the database and this is stored in a cookie, a malicious user just needs to change that cookie value to access another user’s account.
  • Don’t show detailed error messages in the website.
  • Reliably and consistently protect every page and directory that needs it. Never assume that people won’t find sensitive areas just because there’s no link to them. If access to a page or directory should be limited, make sure it is.
  • Don’t store credit card numbers, social security numbers, banking information, and the like. The only exception to this would be if you have deep enough pockets to pay for the best security and to cover the lawsuits that arise when this data is stolen from your site (which will inevitably happen).
  • Use SSL, if appropriate. A secure connection is one of the best protections a server can offer a user.
My final recommendation is to be aware of your own limitations. As the programmer, you
probably approach a script thinking how it should be used. This is not the same as to how it will be used, either accidentally or on purpose. Try to break your site to see what happens.Do bad things, do the wrong thing. Have other people try to break it, too (it’s normally easy to find such volunteers). When you code, if you assume that no one will ever use a page properly, it’ll be much more secure than if you assume people always will.

Changing the PHP Session Behavior

As part of PHP’s support for sessions, there are over 20 different configuration options you can set for how PHP handles sessions. Here I’ll highlight a few of the most important ones here. Note two rules about changing the session settings:

1. All changes must be made before calling session_start().
2. The same changes must be made on every page that uses sessions.

  ini_set (parameter, new_setting);

For example, to require the use of a session cookie (as mentioned, sessions can work without cookies but it’s less secure), use

   ini_set ('session.use_only_cookies', 1);

Another change you can make is to the the name of the session (perhaps to use a more userfriendly one). To do so, use the session_name() function.

  session_name('YourSession');

The benefits of creating your own session name are twofold: it’s marginally more secure and it may be better received by the end user (since the session name is the cookie name the end user will see). The session_name() function can also be used when deleting the session cookie:

  setcookie (session_name(), '', time()-3600);

Finally, there’s also the session_set_cookie_params() function. It’s used to tweak the settings of the session cookie.

  session_set_cookie_params(expire, path, host, secure, httponly);

Note that the expiration time of the cookie refers only to the longevity of the cookie in the Web browser, not to how long the session data will be stored on the server.

How To Prevent Brute Force Attacks

A brute force attack is an attempt to log into a secure system by making lots of attempts in the hopes of eventual success. It’s not a sophisticated type of attack, hence the name "brute force." For example, if you have a login process that requires a username and password, there is a limit as to the possible number of username/password combinations. That limit may be in the billions or trillions, but still, it’s a finite number. Using algorithms and automated processes, a brute force attack repeatedly tries combinations until they succeed.

The best way to prevent brute force attacks from succeeding is requiring users to register with good, hard-to-guess passwords: containing letters, numbers, and punctuation; both
upper and lowercase; words not in the dictionary; at least eight characters long, etc. Also, don’t give indications as to why a login failed: saying that a username and password combination isn’t correct gives away nothing, but saying that a username isn’t right or that the password isn’t right for that username says too much.

To stop a brute force attack in its tracks, you could also limit the number of incorrect login attempts by a given IP address. IP addresses do change frequently, but in a brute force attack, the same IP address would be trying to login multiple times in a matter of minutes. You would have to track incorrect logins by IP address, and then, after X number of invalid attempts, block that IP address for 24 hours (or something). Or, if you didn’t want to go that far, you could use an “incremental delay” defense: each incorrect login from the same IP address creates an added delay in the response (use PHP’s sleep() function to create the delay). Humans might not notice or be bothered by such delays, but automated attacks most certainly would.