Secure Session: Prevent session hijacking or session fixation
| Recommend this page to a friend! |
 Author |
 |
|
Innovation award Nominee: 7x | |||||||||||||||||||
This class can be used to prevent security attacks known as session hijacking and session fixation.
When a session is initialized the class computes a fingerprint string that takes in account the browser user agent string, the user agent IP address or part of it and a secret word. If the fingerprint value changes, it is very likely that the session was hijacked and it should no longer be accepted.
To prevent session fixation attacks the calls the PHP session_regenerate_id() function so the session identifier changes everytime the session is checked.
When a session is initialized the class computes a fingerprint string that takes in account the browser user agent string, the user agent IP address or part of it and a secret word. If the fingerprint value changes, it is very likely that the session was hijacked and it should no longer be accepted.
To prevent session fixation attacks the calls the PHP session_regenerate_id() function so the session identifier changes everytime the session is checked.
| Classes of Vagharshak Tozalakyan | > | Secure Session | > |  Download .zip .tar.gz |
> |  Support forum (21) |
> |  Blog |
> |   Latest changes |
|
|
|
||||||||||||||||||||||
| Groups |  User ratings |
Trackback | Applications |  Files |
| Groups |
 User Management |
User records, authentication and session handling | View top rated classes |
| Security |
Security protection and attack detection | View top rated classes |
| Innovation Award |
 January 2006 Number 2 Prize: One book of choice by O'Reilly |
Sessions have become one of possible features that can be exploited to perform security attacks to PHP sites. Sessions are not insecure by themselves, but if they are not used with a certain care, they may be eventually abused by malicious users. Session hijacking abuses can happen when somebody with privileged network access can sniff traffic that goes to potential victim site. Session fixation abuses can happen when a site uses the same session identifier for the same user before and after he authenticates to log in. This class provides a solution to prevent these kinds of session abuses to prevent that PHP sites that use sessions become compromised. Manuel Lemos |
| User ratings |
| Ratings | Utility | Consistency | Documentation | Examples | Tests | Videos | Overall | Rank |
|---|---|---|---|---|---|---|---|---|
| All time: | Good (91%) | Good (88%) | - | Good (85%) | - | - | Sufficient (63%) | 1042 |
| Month: | Not yet rated by the users | |||||||
| Pages that reference this package |
| PHP Session Management There is no such thing as a 100% secure anything in this world of hackers/counter hackers... |
Latest pages that reference packages
| Applications that use this package |
No pages of applications that use this class were specified.
If you know an application of this package, send a message to the author to add a link here.
 Install with Composer - Download all files: secure_session.tar.gz secure_session.zipNOTICE: if you are using a download manager program like 'GetRight', please Login before trying to download this archive.
|
