How do i fix Session Fixation in PHP

views:

answers:

+1 Q:

How do i fix Session Fixation in PHP

How do i fix Session Fixation in PHP/cakephp. I am on a shared host.

EDIT i am on a shared host how can i enable it if i dont have aces to php.ini

+1 A:

http://en.wikipedia.org/wiki/Session_fixation#Countermeasures

Do a little bit of searching first, okay? ;)

Delan Azabani 2010-09-19 11:49:28

+2 A:

Set session.use_only_cookies=true. It's harder with cookies than POST/GET parameters to inject and/or social-engineer a session id.
Set session.cookie_httponly=true. Not really because of session fixation but session hijacking ...anyway, there shouldn't be a good reason for a client-side script to be able to read the session id cookie.
Use session_regenerate_id() as often as you deem necessary; at minimum every time a login is attempted.

VolkerK 2010-09-19 13:14:24

i am on a shared host how can i enable it if i dont have aces to php.ini

Web Developer 2010-09-20 08:08:39

Both session.use_only_cookies and session.cookie_httponly are markes as PHP_INI_ALL. I.e. you can set the values via ini_set(), before you call session_start(), _every time_ before you call session_start().

VolkerK 2010-09-20 08:21:56

ansaurus

tags:

views:

answers:

How do i fix Session Fixation in PHP

related questions