How to encrypt session id in cookie?

Question

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.

As far as I know, when I s

Answer 1

Make this script, access it from a web browser, then check your cookies.

<?php
  session_start();
?>

You will likely see something like this

Site         Cookie      Value
mysite.com   PHPSESSID   6fktilab3hldc5277r94qh2204

PHP does a fine job if generating a nice, unique id. There's not point in encrypting this.

Answer 2

The session ID is relatively unguessable, so that's not really the issue.

There are a things you can do related to this to counteract attacks:

• create a new session when a user signs in
• limit the length of a session

There are quite a few other things as well. I always recommend studying the Rails Guide on these issues-- it offers a very accessible explanation of known problems and countermeasures-- all equally applicable to PHP code.