Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.
As far as I know, when I start a session by calling session_start(), PHP does not encrypt session id value in a cookie.
How do I encrypt session id value and then initialize session with it?
Encrypting won’t help. The session cookie is just a magic number anyway. Encrypting it just means there’s a different magic number to hijack. Depending on what hijacking scenarios you have in mind, there are other possible mitigations. For example, you can limit sessions to a single IP. That poses some issues though, e.g. people switching between wireless points.