Session Security

Counter Measures

• Regenerate the session id upon login, before authentication, using session_regenerate_id(true). passing boolean true removes the old session and is critical as a counter measure

• Also, regenerate session id prior to “critical” operations

• Use ssl encryption for the login, or assign a hidden key (not as good)

• Check that the ip address remains the same (although not always reliable)

• Use short session timeout

• Provide user logout

• Destroy an old and create a new session with: session_regenerate_id(true)

• Set php configuration directive session.use_only_cookies = 1

• Prevent javascript access to session cookie with php configuration directive session.cookie_httponly = 1

Leave a Reply

Your email address will not be published. Required fields are marked *