Would it prevent, for example, session hijacking? If not, what can I do to make my php sessions secure?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Would it prevent, for example, session hijacking? If not, what can I do to make my php sessions secure?
What is sent to the client is a session identifier and not a session variable. These session identifiers are usually set as a cookie in the client. Of course, if anyone gets hold of the session identifier (for example, by using cross site scripting attack) from the user’s browser or client, he can set the session identifier in his own client and impersonate as the other user.
Session variables, however, usually refer to the values in
$_SESSIONarray. See http://www.php.net/manual/en/function.session-start.php for an example. These values are never sent over the network to the client.As far as protecting session identifiers is concerned, I have already explained in the first paragraph that they are stored as cookies in the browser. In an HTTP session, the cookies are transmitted between the server and client in cleartext. This is vulnerable to eavesdropping (for example, a guy on a router through which your packets pass could capture your packets and read the session identifier from it). The best way to overcome this problem is to use HTTPS instead.