The number of users on the internet are increasing every passing hour and with it brings a new set of challenges with respect to security. I will be highlighting some steps below on how to improve your session security in PHP.
- Use SSL on your website especially on those pages where the user is going to provide his personal information or pages where the session will be created. This should lower the chances of some one reading the data packets over the network.
- Default session timeout on most hosting servers is 24 minutes. This value can be lowered by changing the value of session.gc_maxlifetime in php.ini.
- Regenerate the session before performing any action against that session. Use session_regenerate_id(true) which will delete the old session id and create a new session id.
- Check that the IP address of the visitor does not change. If the IP address changes then kill that session using session_destroy().
Hopefully the above points should help you in providing better security to your users.