This article will try to enumerate PHP session tips and tricks, I assume that you already familiar with sessions concept, Also have a good understanding of it, If so this will be great review for you.
Originally these tips were created as private notes, But it’s good to expose with others, it may help you in brute force interviews :”D
- Try to avoid using
REMOTE_ADDRheader as fingerprint since IP address can be changed during the session, Instead use
- Starting the session twice may cause problems, Instead use
session_id()to check if session already started.
- Don’t try to start the session after output some stuff, because headers already sent
session_save_path()function before starting the session to change session save directory, Sometimes you cannot access
/tmpdirectory in shared hosts
- Created sessions will be lost if you have changed
- Session serialization done internally with PHP using
- Session is not available to concurrent requests in the same time, once a request access it, session file will be locked, Use
session_write_closewhen you no longer need it if you doing heavy work, let others take a peace of cake
- You can resume the session after close it with
- Session identifier is generated using hash functions, default value set to
MD5 128 bit, also you can use
SHA-1 160 bit.
- Because session data is serialized,
resourcevariables cannot be stored in the session.
- Implement your own session handler, to encrypt the data stored in session default set to “files” you can change it using
session.save_handlerini directive or using
- You can change cookie name that holds session id using
session.nameini directive, Default set to
- Don’t set
TRUE, That may cause problems
session.gc_maxlifetimespecifies the number of seconds after which data will be considered as garbage
session.use_strict_modeand regenerate session id after user login to avoid session fixation, read more
TRUE, to prevent the user from send session id in URL
session.cookie_lifetimespecifies the lifetime of the cookie in seconds. The value
0means “until the browser is closed.”, Also read about
FALSEto tell PHP not to set session id in URL if cookies is disabled
All these tips reduces the probability of session hijacking and does not prevent it permanently