Sign up with Google
Thor
Honorary Master
- Joined
- Jun 5, 2014
- Messages
- 44,236
How do I prevent someone from hijacking my session?
Assume I have a page which should only be visible to my logged in user and I do something like this (just an example):
After reading this https://secure.php.net/manual/en/session.security.php I was thinking of adding this to the beginning of my pages in order to override any global settings in php.ini and essentially prevent GET_[SessionID] form URLs:
At least that is my understanding. In my mind, awareness + protection = security so what I am trying to ask is please point out what the dangers are doing this if any and what to use/do instead? IE make me aware of the dangers.
Assume I have a page which should only be visible to my logged in user and I do something like this (just an example):
PHP:
<?php
session_start();
if (!(isset($_SESSION['logged_in_user_id']) && $_SESSION['logged_in_user_id'] != '')) {
header("Location: default_public_page.php");
}
?>
<html>
<head>
<meta charset="UTF-8">
<title>Logged In Page</title>
</head>
<body>
Some restricted content
</body>
</html>After reading this https://secure.php.net/manual/en/session.security.php I was thinking of adding this to the beginning of my pages in order to override any global settings in php.ini and essentially prevent GET_[SessionID] form URLs:
PHP:
ini_set( 'session.use_only_cookies', TRUE );
ini_set( 'session.use_trans_sid', FALSE );At least that is my understanding. In my mind, awareness + protection = security so what I am trying to ask is please point out what the dangers are doing this if any and what to use/do instead? IE make me aware of the dangers.