Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration: session_id(sha1(uniqid(microtime())); This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom … Read more
Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called “session riding”. You should use this code in a php header file: ini_set(‘session.cookie_secure’,1); ini_set(‘session.cookie_httponly’,1); ini_set(‘session.use_only_cookies’,1); session_start(); This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. … Read more