Sessions :: Hijack :: Fixation
Sessions :: Hijack :: Fixation
Regenerate session id when change in privilege level.
session_regenerate_id()
Never use the same session id for http and https
Disallow arbitrary session id
session_start
(
)
;
if
(
!
isset
(
$
_SESSION
[
'initiated'
]
)
)
{
session_regenerate_id
(
)
;
$
_SESSION
[
'initiated'
]
=
true
;
}
Track User-Agent and/or IP (warning: proxies)
Identify consistencies in requests, and then warn on deviations