views:

325

answers:

3

Do I have to do anything special to avoid session hijacking using Kohana framework?

(Assuming the session is manipulated only with the Kohana Session library)

Thanks in advance

A: 

I would check out the relevant files on GitHub.

Depending on the driver you use, e.g. native or db, you may want to dig deeper.

alex
+4  A: 

Native sessions are the most prone to hijacking, as they are not secured against cookie stealing. There is very little security applied to native sessions beyond the defaults that PHP provides. For better security, you should probably add a user agent or ip address check.

Cookie sessions are salted, and support encryption. You should change Cookie::$salt to increase the security.

Database sessions also use a salted cookie to store the session id, so again, you should change the salt.

Edit: You are talking about v2, which has greater security applied to the session, as it extends the native sessions. This approach is more prone to odd PHP issues, but provides greater security. Check the session configuration file for adding user_agent and ip_address checks.

shadowhand
A: 

For more security I would use database sessions and encrypt the cookies (which holds the session id).

feketegy

related questions