Menu
While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.
As far as I know, when I start a session by calling session_start(), PHP does not encrypt session id value in a cookie.
How do I encrypt session id value and then initialize session with it?
834
Encrypting won't help. The session cookie is just a magic number anyway. Encrypting it just means there's a different magic number to hijack. Depending on what hijacking scenarios you have in mind, there are other possible mitigations. For example, you can limit sessions to a single IP. That poses some issues though, e.g. people switching between wireless points.
71
It's more important that your session IDs are random (that is, someone can't use their session ID to guess another person's), as the real danger is somebody getting their hands on another user's session ID. As long as you keep them truly random, there's no reason to or utility in encrypting it
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
