I am really clueless on how to protect PHPSESSID. Does the value of session_id come from PHPSESSID? It would be disastrous if the session_id got compromised. Anyone have any ideas?
+3
A:
Here is the article from PHP manual that explains sessions security in PHP: link
Probably the most effective way to protect your sessions will be to enable SSL on your site and forcing storing of session id in cookies. Then cookies will be encrypted as they will be passed to your site and that should guarantee enough protection.
RaYell
2009-08-04 07:54:37
A:
the session_id is stored in a cookie on the users system. Not sure what you mean by protecting it.
Marius
2009-08-04 07:57:17
oh i mean, prevent session hijacking stuff.. Well, I am new to this session things though..
bbtang
2009-08-04 08:39:17
A:
You can use HTTPS as RaYell said, but if you can't afford a certificate, there are some ways to secure a session even with HTTP:
- Store the user-agent in the session when you create the session. Check the user-agent on every request. If the user-agent changes, delete the session.
- Same as above, but with the IP address. The annoying thing there is that a lot of ISP provide dynamic IPs, and the session can be deleted illegitimately.
- Set a low session timeout. This will not prevent session hijacking, but it reduces the risks. Beware, this can annoy users though.
- Set a low session lifetime (1 day). This will force users to reauthenticate after 1 day, so even if a session is hijacked, it won't be hijacked for more than one day.
Remember these advices will not prevent session hijacking. They will dramatically reduce the risks, but there will always be a risk, unless you use HTTPS.
FWH
2009-08-04 08:54:54