Home/ Questions/Q 1005553
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T08:18:58+00:00

Lets just consider the trust that the server have with the user. Session fixation:

  • 0

Lets just consider the trust that the server have with the user.

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)

Session sidejacking: SSL encryption for the entire site.

Am I safe ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called “session riding”.

    You should use this code in a php header file:

    ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

    This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called “secure cookies”, which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).

    • 0