Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Protect Session IDs in PHP

  
  

What to Do

Protect session IDs from disclosure by only storing them in session cookies, sending session cookies only over SSL and setting security flags on the session cookies.

Why

Protecting session IDs helps protect user sessions from being hijacked.

How

To protect session IDs:

  1. Store session IDs in cookies. This is the default behavior in PHP.
  2. Enable SSL. SSL has to be enabled to protect session cookies from eavesdropping attacks. Please, refer to the documentation for your web platform for information about enabling and configuring SSL on your web server.
  3. Set the "secure" flag on session cookies. Edit the php.ini file and configure the "session.cookie_secure" setting, like this:

session.cookie_secure = On

  1. Set the "HTTPOnly" flag on session cookies. Edit the php.ini file and configure the "session.cookie_httponly" setting, like this:

session.cookie_httponly = On

  1. Do not disclose session IDs. Make sure that session IDs are not disclosed in URLs, logs, or error messages. Do not allow URL rewriting of session cookies.

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics