-
-
Save XTechnology-TR/cbab7f117f6ef5f3314dc84430a8bf97 to your computer and use it in GitHub Desktop.
Security with cookies: - PREVENTING SESSION HIJACKING
- PREVENTING SESSION FIXATION
- Uses a secure connection (HTTPS) if possible
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| With .htaccess just need to add these flags: | |
| php_value session.cookie_httponly 1 | |
| php_value session.cookie_secure 1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Edit next files: | |
| ; /etc/php5/cli/php.ini | |
| ; /etc/php5/apache2/php.ini | |
| ; By specifying the HttpOnly flag when | |
| ; setting the session cookie you can | |
| ; tell a users browser not to expose | |
| ; the cookie to client side scripting | |
| ; such as JavaScript. This makes it | |
| ; harder for an attacker to hijack | |
| ; the session ID and masquerade as | |
| ; the effected user. | |
| session.cookie_httponly = 1 | |
| ; It is also a good idea to make sure | |
| ; that PHP only uses cookies for | |
| ; sessions and disallow session | |
| ; ID passing as a GET parameter: | |
| session.use_only_cookies = 1 | |
| ; PHP has ini setting to ensure session | |
| ; cookies are only sent over secure | |
| ; connections: | |
| session.cookie_secure = 1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // **PREVENTING SESSION HIJACKING** | |
| // Prevents javascript XSS attacks aimed to steal the session ID | |
| ini_set('session.cookie_httponly', 1); | |
| // **PREVENTING SESSION FIXATION** | |
| // Session ID cannot be passed through URLs | |
| ini_set('session.use_only_cookies', 1); | |
| // Uses a secure connection (HTTPS) if possible | |
| ini_set('session.cookie_secure', 1); | |
| // OR if u want to add directly to setcookie function | |
| setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL); | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment