how to prevent sessions id from being seen in debuggers?
So it seems like Opera Dragonfly is able to cache cookies as well as ses开发者_运维技巧sion info. In particular the PHPSSID my question is. Would there be a way to hide PHPSSID from being shown by any time of debugger/developer tool?
I don't mind cookies since they are secured. As the data in them is hashed with double salt as well as few other things so forging them is no a problem for me.
But I want to assure PHP sessions are not seen. How would I be able to achieve this?
In short the answer is: You can't, that is not session id's work.
The point of a session id is that is a very random number, often called a cryptographic nonce. This value is intended to be very difficult to guess, it is then used to reference state about that session on the server side. This could be in a database or by default PHP uses the file /tmp/THE_SESSION_ID
. The data stored in $_SESSION
is stored in this file and the user cannot obtain this data.
In PHP to keep attackers from stealing a user's session id you should set session.cookie_secure=On
in your php.ini. This forces the session to be over HTTPS.
If you are using HTTPS, then the session id will be obscured from attackers on that network. By using HTTPS session id's cannot be hijacked with tools like Wireshark or Firesheep. Not using HTTPS is a violation of OWASP A9: Insufficient Transport Layer Protection. However a user can still see his own session id by looking at his cookies javascript:document.cookie
or by using TamperData.
精彩评论