How to encrypt session id in cookie?

后端 未结 8 1542
春和景丽
春和景丽 2021-02-06 05:43

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.

As far as I know, when I s

相关标签:
8条回答
  • 2021-02-06 06:19

    Make this script, access it from a web browser, then check your cookies.

    <?php
      session_start();
    ?>
    

    You will likely see something like this

    Site         Cookie      Value
    mysite.com   PHPSESSID   6fktilab3hldc5277r94qh2204
    

    PHP does a fine job if generating a nice, unique id. There's not point in encrypting this.

    0 讨论(0)
  • 2021-02-06 06:20

    The session ID is relatively unguessable, so that's not really the issue.

    There are a things you can do related to this to counteract attacks:

    • create a new session when a user signs in
    • limit the length of a session

    There are quite a few other things as well. I always recommend studying the Rails Guide on these issues-- it offers a very accessible explanation of known problems and countermeasures-- all equally applicable to PHP code.

    0 讨论(0)
提交回复
热议问题