0

These questions are related: one and two, the former says it's used to prevent name conflict between apps in the same domain. The latter says it can be used for anti-session hijacking.

While the former appears to be the real purpose of session_name(), I am not sure about the latter. Does it really protect against session hijacking? I think it can confuse the attacker in finding out cookie names instead of the default PHPSESSID but is that all?

What's the real purpose of session_name() ?

Community
  • 1
  • 1
IMB
  • 15,163
  • 19
  • 82
  • 140
  • 1
    Well, "help prevent" as in the attackers program needs to be smarter (e.g. needs to "find" the cookie first) or the attacker needs to invest more time (e.g. manually "find" the cookie first); that is, it could "help prevent" the site being trawled en masse and it could "help prevent" cookie sniffing where cookies cannot be enumerated. I would *not* tell someone that I used it to "prevent session hijacking" however, as that makes it sounds like it adds .. well, security. (OTOH, reusing the same cookie name will very much cause multiple same-domain session-requiring apps to not function well ;-) –  Aug 21 '12 at 22:14

2 Answers2

2

It's happens to me to have two (or more) different applications on the same domain.

Allow different sessions coexist on the same domain is the real scope of session_name(), IMHO.

Ivan Buttinoni
  • 4,110
  • 1
  • 24
  • 44
2

Does it really protect against session hijacking?

No. It is trivial for an attacker to visit your site and see what session name you are using instead of the default (simply by viewing the headers), so this function doesn't really provide any session hijacking protection. Its purpose is to allow you to change the default PHPSESSID to something else, or avoid collisions between apps on the same domain.

Tim Fountain
  • 33,093
  • 5
  • 41
  • 69