tags:

views:

293

answers:

3

I am really clueless on how to protect PHPSESSID. Does the value of session_id come from PHPSESSID? It would be disastrous if the session_id got compromised. Anyone have any ideas?

+3  A: 

Here is the article from PHP manual that explains sessions security in PHP: link

Probably the most effective way to protect your sessions will be to enable SSL on your site and forcing storing of session id in cookies. Then cookies will be encrypted as they will be passed to your site and that should guarantee enough protection.

RaYell
A: 

the session_id is stored in a cookie on the users system. Not sure what you mean by protecting it.

Marius
oh i mean, prevent session hijacking stuff.. Well, I am new to this session things though..
bbtang
A: 

You can use HTTPS as RaYell said, but if you can't afford a certificate, there are some ways to secure a session even with HTTP:

  • Store the user-agent in the session when you create the session. Check the user-agent on every request. If the user-agent changes, delete the session.
  • Same as above, but with the IP address. The annoying thing there is that a lot of ISP provide dynamic IPs, and the session can be deleted illegitimately.
  • Set a low session timeout. This will not prevent session hijacking, but it reduces the risks. Beware, this can annoy users though.
  • Set a low session lifetime (1 day). This will force users to reauthenticate after 1 day, so even if a session is hijacked, it won't be hijacked for more than one day.

Remember these advices will not prevent session hijacking. They will dramatically reduce the risks, but there will always be a risk, unless you use HTTPS.

FWH
I wouldn’t delete the session but just create a new one.
Gumbo