The ID will be shorter, but uses more characters. While this doesn't make it any harder to crack, it does make a difference when the attacker tries to guess the session identifier. Set this to session.hash_bits_per_character = 5. Send a strong hash: session.hash_bits_per_character in php.ini. If PHP = 5.3, set it to session.hash_function = sha256 or session.hash_function = sha512. Use a strong session hash identifier: session.hash_function in php.ini. You can however put steps in to make it very difficult and harder to use. You cannot directly prevent session hijacking. That means that since the attacker has the identifier, they are all but indistinguishable from the valid user with respect to the server. This is where an attacker gets a hold of a session identifier and is able to send requests as if they were that user. Regenerate the session ID anytime the session's status changes. This will tell PHP to never use URLs with session identifiers. Set e_only_cookies = 1 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers. Set e_trans_sid = 0 in your php.ini file. There are a few ways to prevent session fixation (do all of them): Once the attacker gives the url to the client, the attack is the same as a session hijacking attack. Typically in PHP it's done by giving them a url like. This is where an attacker explicitly sets the session identifier of a session for a user. Ok, there are two separate but related problems, and each is handled differently.
0 Comments
Leave a Reply. |