How to Prevent from Session Hijackingin in PHP When a session is set up between a client and a web server, PHP will store the session ID in a cookie on the client side probably called PHPSESSID. Sending the ID with the page request gives you access to the session info persisted on the server (which populates the super global $_SESSION array). If someone steals a session key, is that bad? But if you are using that session to authenticate a user, then it would allow some vile person to sign on and get into things. This is particularly bad if the user is important and has a lot of authority. So how do people steal these session IDs and what can decent, God-fearing folk like us do about it? Session IDs are commonly stolen via a XSS attack, so preventing those is a good thing that yields double benefits. It’s also important to change the session ID as often as is practical. This reduces your theft window. From within PHP you can run the session_regenerate_id() function to change the session ID and notify the client.
Posted on: Fri, 23 Aug 2013 11:38:50 +0000
Trending Topics
Recently Viewed Topics
© 2015