2

Possible Duplicate:
What is the best way to prevent session hijacking?
Is encrypting session id (or other authenticate value) in cookie useful at all?

My session handler stores the session ID in a cookie and returns the value of the cookie to use as a reference to the database.

My question is short and simple. Should I encrypt the session ID in the cookie or would this be pointless?

Thanks! :)

Community
  • 1
  • 1
user1813383
  • 35
  • 5
  • Why do you think you need to encrypt it? – Jonathan M Nov 11 '12 at 20:33
  • In order to prevent session fixation/hijacking. I'm not sure if it's necessary/will do any good though. :s – user1813383 Nov 11 '12 at 20:34
  • 5
    It is pointless. See a [related answer](http://stackoverflow.com/a/22913/198536). – wallyk Nov 11 '12 at 20:35
  • The cookie value being returned from the client to the server is plain text, unencrypted. So your encryption will not do any good. The exception is if the request is via https, in which case you don'e need to encrypt anyway. – Jonathan M Nov 11 '12 at 20:35

1 Answers1

5

This is totally pointless. Even if you encrypt your session id, an encrypted version will be sent to your server via cookie. If someone wants to hijack it he will steal that encrypted session id and send it to your server. Your server will happily decrypt it.

Shiplu Mokaddim
  • 56,364
  • 17
  • 141
  • 187