Do I have to do anything special to avoid session hijacking using Kohana framework?
(Assuming the session is manipulated only with the Kohana Session library)
Thanks in advance
Do I have to do anything special to avoid session hijacking using Kohana framework?
(Assuming the session is manipulated only with the Kohana Session library)
Thanks in advance
Native sessions are the most prone to hijacking, as they are not secured against cookie stealing. There is very little security applied to native sessions beyond the defaults that PHP provides. For better security, you should probably add a user agent or ip address check.
Cookie sessions are salted, and support encryption. You should change Cookie::$salt to increase the security.
Database sessions also use a salted cookie to store the session id, so again, you should change the salt.
Edit: You are talking about v2, which has greater security applied to the session, as it extends the native sessions. This approach is more prone to odd PHP issues, but provides greater security. Check the session configuration file for adding user_agent
and ip_address
checks.
For more security I would use database sessions and encrypt the cookies (which holds the session id).