Now that we have talked a bit about how the session ID can be stolen then let
us talk a bit about how we can minimize the risk session _xation.
One thing we can do is to change the session ID often. If we do that then the
chance that the intercepted session ID will be valid will be greatly minimized
if that ID changes often. We can use one of PHP' built-in functions called
session regenerate id(). When we call this function the session ID will be,
no surprise, regenerated. The client will simply be informed that the ID has
changed via an HTTP response header called Set-Cookie.
If you are using PHP 5.2+ then you can tell the browser that Javascript
should not be given access to the cookie using a ag called httponly. You can
set this ag using the php.ini directive called session.cookie httponly or
you can use the session set cookie params() function.
Regarding the issue with the shared hosts, the _x is simple: store the data
where only you have access. You can use the directive called session.save path
to set another path for storing them. You can also store them in a database,
but then you will have to write your own handler using the function called
session set save handler().
No comments:
Post a Comment