How to encrypt session id in cookie?

后端 未结 8 1523
春和景丽
春和景丽 2021-02-06 05:43

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.

As far as I know, when I s

8条回答
  •  被撕碎了的回忆
    2021-02-06 06:07

    Unfortunately encrypting the session ID is not going to increase security much, as the attacker can just use the encrypted form (which is the only thing visible to them anyways).

    The only thing this might prevent is the trick where you send someone a link with ?PHPSESSID=foo in it, which will cause PHP to create that session. You can prevent that by using encryption and validation, but you should rather turn off session ID transfer in the URL completely.

提交回复
热议问题