Possible Duplicate:
PHP Session Security
When I started my first website with PHP, I was storing the user_id directly to the session. I was happy, everything was going well. I could check if the user is logged-in, or if he is visiting the page he has the privilege to visit. Until I discovered the painful fact that my system is totally insecure. So I started digging for solutions. I found many many posts and suggested solutions, but, there were always downsides, we're on situation that we shouldn't accept downsides, even the tiny errors will cost, since it's about users' accounts Security.
Here the strategies I've found so far:
- Checking the IP address.
- Checking the User Agent.
- Regenerating session_id each short period.
- Salted MD5 Hash and fingerprinting.
- SSL and HTTPS.
- Some mixtures of these above.
Unless you prove that one of these is trusted.
After two days of searching I ended up saying: "So now what?".
What is the most common way? What is Stackoverflow or Facebook using?
I'm using Symfony2 as a framework, I checked the documentation, but didn't find something built-in about sessions security. May a Symfony2 experts help me out.
I read a lot and got tired, since the issue is not new, so any direct advice or even helpful links will be highly appreciated. I believe people got more experience today.
