Comments on: How to improve PHP session security http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/ A blend of programming and seo Wed, 17 Feb 2010 21:29:09 -0500 hourly 1 By: Dr. ROX http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/comment-page-1/#comment-3386 Dr. ROX Sat, 18 Jul 2009 09:31:12 +0000 http://www.rawseo.com/news/?p=843#comment-3386 There's also session fixation attack, where hacker can write his own session ID to address bar, like site.com?sid=587395. You should use session_regenerate() after session_start() There’s also session fixation attack, where hacker can write his own session ID to address bar, like site.com?sid=587395. You should use session_regenerate() after session_start()

]]> By: Wayne State Web Communications Blog » Blog Archive » [Friday Links] The Swine Edition http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/comment-page-1/#comment-969 Wayne State Web Communications Blog » Blog Archive » [Friday Links] The Swine Edition Sat, 02 May 2009 00:50:21 +0000 http://www.rawseo.com/news/?p=843#comment-969 [...] How to improve PHP session security | A blend of programming and seo [...] [...] How to improve PHP session security | A blend of programming and seo [...]

]]> By: ??????? » [Web] ???? http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/comment-page-1/#comment-672 ??????? » [Web] ???? Fri, 24 Apr 2009 02:32:12 +0000 http://www.rawseo.com/news/?p=843#comment-672 [...] How to improve PHP session security [...] [...] How to improve PHP session security [...]

]]> By: Robert Hafner http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/comment-page-1/#comment-656 Robert Hafner Thu, 23 Apr 2009 17:40:57 +0000 http://www.rawseo.com/news/?p=843#comment-656 For reference, its not enough to just use SSL. You have to actually tell the session cookie that it needs to use SSL as well, using the "session_set_cookie_params" function. This funciton takes give options- lifetime (defaults to the browser session), path (defaults to the current path, its sometimes useful to change this to '/'), the domain (useful if you want your session to work across subdomains), and finally the two we're interested in- secure is a boolean telling the system whether to use SSL or not, and the final argument is a boolean to see if javascript should be able to access the session cookie (this is one of the most missed security features I've seen). session_set_cookie_params(0, '/', null, isset($_SERVER["HTTPS"]), true); For reference, its not enough to just use SSL. You have to actually tell the session cookie that it needs to use SSL as well, using the “session_set_cookie_params” function.

This funciton takes give options- lifetime (defaults to the browser session), path (defaults to the current path, its sometimes useful to change this to ‘/’), the domain (useful if you want your session to work across subdomains), and finally the two we’re interested in- secure is a boolean telling the system whether to use SSL or not, and the final argument is a boolean to see if javascript should be able to access the session cookie (this is one of the most missed security features I’ve seen).

session_set_cookie_params(0, ‘/’, null, isset($_SERVER["HTTPS"]), true);

]]> By: How to improve PHP session security | A blend of programming and seo | Webmaster Tools http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/comment-page-1/#comment-652 How to improve PHP session security | A blend of programming and seo | Webmaster Tools Thu, 23 Apr 2009 15:38:15 +0000 http://www.rawseo.com/news/?p=843#comment-652 [...] View original here:  How to improve PHP session security | A blend of programming and seo [...] [...] View original here:  How to improve PHP session security | A blend of programming and seo [...]

]]> By: EllisGL http://www.rawseo.com/news/2009/04/23/how-to-improve-php-session-security/comment-page-1/#comment-648 EllisGL Thu, 23 Apr 2009 14:01:42 +0000 http://www.rawseo.com/news/?p=843#comment-648 My version is mostly the same, but just creates a new session. // Secure the session. if(isset($_SESSION['HTTP_USER_AGENT'])) { if($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { session_regenerate_id(); $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } My version is mostly the same, but just creates a new session.

// Secure the session.
if(isset($_SESSION['HTTP_USER_AGENT']))
{
if($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
session_regenerate_id();
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

]]>