- set session.use_trans_sid = 0 in /etc/php5/apache2/php.ini file.
- Ensure you always use a new self generated session id on successful login attempt.
- Try setting session.use_only_cookies = 1 and check if all works fine.
- Use https throughout to ensure no one can sniff your session id.
- Store session id, remote IP information and compare for successive pages
http://us3.php.net/manual/en/session.security.php
http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/
Search This Blog
Monday, August 17, 2009
PHP, Session Security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment