hugopereira84 · March 20, 2025 22:08
diff --git a/secure_with_htaccess b/secure_with_htaccess
 With .htaccess just need to add these flags: 
 php_value session.cookie_httponly 1
 php_value session.cookie_secure 1
diff --git a/secure_with_ini.ini b/secure_with_ini.ini
 ; Edit next files:
 ; /etc/php5/cli/php.ini
 ; /etc/php5/apache2/php.ini

 ; By specifying the HttpOnly flag when 
 ; setting the session cookie you can 
 ; tell a users browser not to expose 
 ; the cookie to client side scripting 
 ; such as JavaScript. This makes it 
 ; harder for an attacker to hijack 
 ; the session ID and masquerade as 
 ; the effected user.
 session.cookie_httponly = 1

 ; It is also a good idea to make sure 
 ; that PHP only uses cookies for 
 ; sessions and disallow session 
 ; ID passing as a GET parameter:
 session.use_only_cookies = 1

 ; PHP has ini setting to ensure session 
 ; cookies are only sent over secure 
 ; connections:
 session.cookie_secure = 1
diff --git a/secure_with_php.php b/secure_with_php.php
 <?php
 // **PREVENTING SESSION HIJACKING**
 // Prevents javascript XSS attacks aimed to steal the session ID
 ini_set('session.cookie_httponly', 1);

 // **PREVENTING SESSION FIXATION**
 // Session ID cannot be passed through URLs
 ini_set('session.use_only_cookies', 1);

 // Uses a secure connection (HTTPS) if possible
 ini_set('session.cookie_secure', 1);
 // OR if u want to add directly to setcookie function
 setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
 ?>
	With .htaccess just need to add these flags:
	php_value session.cookie_httponly 1
	php_value session.cookie_secure 1
	; Edit next files:
	; /etc/php5/cli/php.ini
	; /etc/php5/apache2/php.ini

	; By specifying the HttpOnly flag when
	; setting the session cookie you can
	; tell a users browser not to expose
	; the cookie to client side scripting
	; such as JavaScript. This makes it
	; harder for an attacker to hijack
	; the session ID and masquerade as
	; the effected user.
	session.cookie_httponly = 1

	; It is also a good idea to make sure
	; that PHP only uses cookies for
	; sessions and disallow session
	; ID passing as a GET parameter:
	session.use_only_cookies = 1

	; PHP has ini setting to ensure session
	; cookies are only sent over secure
	; connections:
	session.cookie_secure = 1
	<?php
	// PREVENTING SESSION HIJACKING
	// Prevents javascript XSS attacks aimed to steal the session ID
	ini_set('session.cookie_httponly', 1);

	// PREVENTING SESSION FIXATION
	// Session ID cannot be passed through URLs
	ini_set('session.use_only_cookies', 1);

	// Uses a secure connection (HTTPS) if possible
	ini_set('session.cookie_secure', 1);
	// OR if u want to add directly to setcookie function
	setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
	?>