{"id":1996,"date":"2019-04-15T21:55:17","date_gmt":"2019-04-15T20:55:17","guid":{"rendered":"https:\/\/ibex.tech\/cloud\/?p=1996"},"modified":"2022-02-17T07:14:01","modified_gmt":"2022-02-17T07:14:01","slug":"_session-security","status":"publish","type":"post","link":"https:\/\/ibex.tech\/cloud\/php\/sessions\/_session-security","title":{"rendered":"$_SESSION security"},"content":{"rendered":"\n<p>$_SESSION[] in PHP is secure, but of course if is only as secure as your application makes it.  The session variables \/ parameters are stored at the server level, with the user given a pseudorandom string (&#8220;session ID&#8221;) for them to identify themselves with.  The weakness is if that string is intercepted by an attacker, the attacker can then pretend to be that user.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Security Recommendations \/ Best practice<\/h4>\n\n\n\n<p>Look through &#8220;Session Management Basics&#8221; in the PHP manual.<\/p>\n\n\n\n<p>Always use HTTPS (to attackers from reading the session ID cookie.<\/p>\n\n\n\n<p>Enable session.use_strict_mode<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Rejects uninitialized session IDs<\/li><li>Ensures any sessions created are actually valid, so you can trust a prefix (eg, if the prefix is $userId-)<\/li><\/ul>\n\n\n\n<p>Enable sessions.use_only_cookies and disable session.use_trans_sid<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Avoids user sharing session ID accidentally by sharing a URL with the session ID in it<\/li><li>Prevents the session ID from appearing in a Referer header<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>$_SESSION[] in PHP is secure, but of course if is only as secure as your application makes it. The session variables \/ parameters are stored at the server level, with the user given a pseudorandom string (&#8220;session ID&#8221;) for them to identify themselves with. The weakness is if that string is intercepted by an attacker, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[79],"tags":[],"class_list":["post-1996","post","type-post","status-publish","format-standard","hentry","category-sessions"],"_links":{"self":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/1996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/comments?post=1996"}],"version-history":[{"count":1,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/1996\/revisions"}],"predecessor-version":[{"id":1997,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/1996\/revisions\/1997"}],"wp:attachment":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/media?parent=1996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/categories?post=1996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/tags?post=1996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}