Session hijacking and PHP

by

Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called “session riding”.

You should use this code in a php header file:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called “secure cookies”, which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).

More Related Contents:

  1. Proper session hijacking prevention in PHP
  2. PHP Session Fixation / Hijacking
  3. “Keep Me Logged In” – the best approach
  4. How to properly add cross-site request forgery (CSRF) token using PHP
  5. Preventing session hijacking
  6. What do I need to store in the php session when user logged in?
  7. Is it secure to store a password in a session? [duplicate]
  8. Secure and Flexible Cross-Domain Sessions
  9. Parse error: syntax error, unexpected T_STRING in C:\wamp\www\b_php\project\login_save.php on line 14 [closed]
  10. How can I sanitize user input with PHP?
  11. How can I store my users’ passwords safely?
  12. Simplest two-way encryption using PHP
  13. How to fake $_SERVER[‘REMOTE_ADDR’] variable?
  14. Login without HTTPS, how to secure?
  15. Is it safe to trust $_SERVER[‘REMOTE_ADDR’]?
  16. Destroy PHP Session on closing
  17. How to tell if a session is active? [duplicate]
  18. Set Session variable using javascript in PHP
  19. Find Number of Open Sessions
  20. How to enable DDoS protection?
  21. How to set session timeout in Laravel?
  22. Cookies vs. sessions in PHP
  23. How can I determine a file’s true extension/type programmatically?
  24. Can I serve MP3 files with PHP?
  25. PHP Session ID changing on every request
  26. How to keep a PHP session active even if the browser is closed?
  27. Same domain, different folder PHP session
  28. Reopening a session in PHP
  29. Json: PHP to JavaScript safe or not?
  30. Extending session timeout in PHP via the .htaccess

Leave a Comment