Avoiding session hijacking with Kohana
Do I have to do anything special to avoid session hijacking using Kohana framework? I'm assuming the session is mani开发者_开发技巧pulated only with the Kohana Session library
Native sessions are the most prone to hijacking, as they are not secured against cookie stealing. There is very little security applied to native sessions beyond the defaults that PHP provides. For better security, you should probably add a user agent or ip address check.
Cookie sessions are salted, and support encryption. You should change Cookie::$salt to increase the security.
Database sessions also use a salted cookie to store the session id, so again, you should change the salt.
Edit: You are talking about v2, which has greater security applied to the session, as it extends the native sessions. This approach is more prone to odd PHP issues, but provides greater security. Check the session configuration file for adding user_agent
and ip_address
checks.
I would check out the relevant files on GitHub.
Depending on the driver you use, e.g. native or db, you may want to dig deeper.
For more security I would use database sessions and encrypt the cookies (which holds the session id).
精彩评论