Session management is core of web security. Users should ensure that several practices are in place to protect against session identity theft.
There are a couple of ways that session security can be compromised:
Luckily there are some counter measure to prevent these things from happening by adding configuration within the php.ini file.
We can add either of the following:
session.use_cookies = 1 session.use_only_cookies = 1
Cookies are the preferred way to manage session IDs.
A session can be regenerated using the session_regenerate_id() function:
This will replace the current session id with a new one, and keep the current session information.
You can choose to delete the old session by adding the boolean parameter and setting it to true:
session.cookie_httponly = On
This can also be done the session_set_cookie_params() function passing in true as the fifth parameter.
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
Some basic session security measures should also be followed:
Note: This article is based on PHP version 5.5.