Search This Blog

Monday, August 17, 2009

PHP, Session Security



- set session.use_trans_sid = 0 in /etc/php5/apache2/php.ini file.
- Ensure you always use a new self generated session id on successful login attempt.
- Try setting session.use_only_cookies = 1 and check if all works fine.
- Use https throughout to ensure no one can sniff your session id.
- Store session id, remote IP information and compare for successive pages

http://us3.php.net/manual/en/session.security.php

http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

No comments: