Advanced PHP Session Security Concepts, Part One

When I have trouble understanding complex issues, I often try to deconstruct the topic and then compare the basic concept to a daily routine that I have already figured out. This process hasn’t let me down until recently, when I was trying to wrap my head around web security. As usual, I don’t expect replies to the following question, so I’m just hoping that writing it out in MS Word will help somehow.

Suppose you’re next in line at a bank, waiting to make a deposit. You hand the teller your check and ID card, which in this scenario, only displays your full name and phone number, which will be used as a password. Now which situation would provide more security for both you and the bank?

• After verifying that the computed sum of your name and phone number matched the secret ‘key’, the teller executes your transaction and discards your old debit card, issuing you a new one. This happens after every single transaction, even on the same day. Also it can slow transactions down.
• The teller will only acknowledge you once a trusted staff member vouches for you. This process only needs to happen when you enter the bank, but you have unlimited transactions available without the need for verification until you leave.
• You walk into the bank, decide the pressure is too much and cancel your account, vowing to live in a cave until Jesus appears.

I want to expand a bit more on this post later on, but for now I’m throwing it out there.