Counter Measures
• Regenerate the session id upon login, before authentication, using session_regenerate_id(true). passing boolean true removes the old session and is critical as a counter measure
• Also, regenerate session id prior to “critical” operations
• Use ssl encryption for the login, or assign a hidden key (not as good)
• Check that the ip address remains the same (although not always reliable)
• Use short session timeout
• Provide user logout
• Destroy an old and create a new session with: session_regenerate_id(true)
• Set php configuration directive session.use_only_cookies = 1
• Prevent javascript access to session cookie with php configuration directive session.cookie_httponly = 1