Author: Admin 02/17/2022
Language:
Plain Text
Tags: php manual cookie securing session
By securing session related INI settings, developers can improve session security. Some important INI settings do not have any recommended settings. Developers are responsible for hardening session settings.
0
possesses a particular meaning. It informs browsers not to store the cookie to permanent storage. Therefore, when the browser is terminated, the session ID cookie is deleted immediately. If developers set this other than 0, it may allow other users to use the session ID. Most applications should use "0
" for this.
If an auto-login feature is required, developers must implement their own secure auto-login feature. Do not use long life session IDs for this. More information can be found above in the relevant section.
Although HTTP cookies suffer some problems, cookies remain the preferred way to manage session IDs. Only use cookies for session ID management when it is possible. Most applications should use a cookie for the session ID.
If session.use_only_cookies
=Off, the session module will use the session ID values set by GET/POST/URL provided the session ID cookie is uninitialized.
Although, enabling session.use_strict_mode
is mandatory for secure sessions. It is disabled by default.
This prevents the session module to use an uninitialized session ID. Put differently, the session module only accepts valid session IDs generated by the session module. It rejects any session ID supplied by users.
Due to the cookie specification, attackers are capable to place non removable session ID cookies by locally setting a cookie database or JavaScript injections. session.use_strict_mode
can prevent an attacker initialized session ID of being used.
Read More: PHP: Securing Session INI Settings - Manual