|
Preventing session hijacking and forgery attacks
Regenerating session IDs
.
- Why?
- Shortens the amount of time the session identifier is exposed
- How?
- session_regenerate_id()
Providing a logout option
.
- Why?
- Shortens the time session identifier is active
- Destroys actual session data
- How?
- Unset $_SESSION values
- Expire session cookie
- Run session_destroy()
Keeping sessions short
.
- Do this for sensitive operations
- Why?
- Limits the exposure to attack
- How?
- Set up a timer file
- If session is past time:
- Reset $_SESSION, expire cookie, run session_destroy()
- Important!
- session.cache_limiter, session.cache_expire do not affect lifetime of the session!
Do not rely solely on session ID
.
- Build a "profile" of the user:
- $_SERVER["HTTP_USER_AGENT"]
- $_SERVER["REMOTE_ADDR"]
- $_SERVER["HTTP_ACCEPT_LANGUAGE"]
- Reasonable date and time
|
|