Menu
Would it prevent, for example, session hijacking? If not, what can I do to make my php sessions secure?
356
What is sent to the client is a session identifier and not a session variable. These session identifiers are usually set as a cookie in the client. Of course, if anyone gets hold of the session identifier (for example, by using cross site scripting attack) from the user's browser or client, he can set the session identifier in his own client and impersonate as the other user.
Session variables, however, usually refer to the values in $_SESSION array. See http://www.php.net/manual/en/function.session-start.php for an example. These values are never sent over the network to the client.
As far as protecting session identifiers is concerned, I have already explained in the first paragraph that they are stored as cookies in the browser. In an HTTP session, the cookies are transmitted between the server and client in cleartext. This is vulnerable to eavesdropping (for example, a guy on a router through which your packets pass could capture your packets and read the session identifier from it). The best way to overcome this problem is to use HTTPS instead.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
