What measures can be taken to improve session security in PHP

The number of users on the internet are increasing every passing hour and with it brings a new set of challenges with respect to security. I will be highlighting some steps below on how to improve your session security in PHP.

  1. Use SSL on your website especially on those pages where the user is going to provide his personal information or pages where the session will be created. This should lower the chances of some one reading the data packets over the network.
  2. Default session timeout on most hosting servers is 24 minutes. This value can be lowered by changing the value of session.gc_maxlifetime in php.ini.
  3. Regenerate the session before performing any action against that session. Use session_regenerate_id(true) which will delete the old session id and create a new session id.
  4. Check that the IP address of the visitor does not change. If the IP address changes then kill that session using session_destroy().
  5. Set session.use_only_cookies to 1 in your php.ini which will force PHP to use cookies to store the session id which should also lower any chance of session hijacking.

Hopefully the above points should help you in providing better security to your users.

Be the first to comment

Leave a Reply