How Do I Make Sessions More Secure? [duplicate]

This question already has answers here: Closed 12 years ago.

Possible Duplicate:

PHP Session Security

I am using sessions all throughout my application. I want to make them much more secure. Currently I am using code like 开发者_运维知识库$username = $_SESSION['username']; and the like.

How do I make my sessions more secure?

---

The first thing you'll want to watch out for is Session Hijacking. To quote Wikipedia:

In computer science, session hijacking refers to the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

The basic idea is, if a visitor to your website (Alice) has a session cookie and a session ID (let's assume it's 12345), then if a malicious user (Mallory) is able to learn Alice's session ID via either JavaScript, traffic sniffing, social engineering or other methods, then Mallory can browse to your site and set his session ID to 12345 and he effectively becomes Alice.

One way to prevent this is to alter the session ID on every request, which you can do via the PHP session_regenerate_id function. You would call session_regenerate_id at the beginning of every request, after calling session_start()

Please be aware that this is a very complicated topic. I'd highly recommended reading the Wikipedia article and making sure you fully understand the issues at play.

EDIT: I was about to type a lot more information out for you, but then I realized that your question really is a duplicate of this StackOverflow question. I'd recommended reading that as a starting point.

---

It depends a lot what you are trying to protects. If you are worried about that the information contained in the session could be exposed or modified, you don't have to worry about that since it can only be seen and modified by the server.

If you are worried about the possibility that some people could use other people session, you can do the following :

• Analyze your code and make sure you have no XSS flaw.
• Use SSL to prevent session hijacking if your visitor are using public network.
• Make sure your session are using the HTTP Only flag

---

Use md5 version of a password in the database and then md5 encrypt the session password, so that if the password is correct, then these 2 values will be the same.