开发者

Avoiding session hijacking with Kohana

Do I have to do anything special to avoid session hijacking using Kohana framework? I'm assuming the session is mani开发者_开发技巧pulated only with the Kohana Session library


Native sessions are the most prone to hijacking, as they are not secured against cookie stealing. There is very little security applied to native sessions beyond the defaults that PHP provides. For better security, you should probably add a user agent or ip address check.

Cookie sessions are salted, and support encryption. You should change Cookie::$salt to increase the security.

Database sessions also use a salted cookie to store the session id, so again, you should change the salt.

Edit: You are talking about v2, which has greater security applied to the session, as it extends the native sessions. This approach is more prone to odd PHP issues, but provides greater security. Check the session configuration file for adding user_agent and ip_address checks.


I would check out the relevant files on GitHub.

Depending on the driver you use, e.g. native or db, you may want to dig deeper.


For more security I would use database sessions and encrypt the cookies (which holds the session id).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜