0

CakePhp saves session id in cookies, normally cookie named CAKEPHP contain session id and in any other php file can start session with that id

session_id($_REQUEST['CAKEPHP']);
session_start();

my question is this a secure way of handling session id, if yes then how is it secure if now what is better solution

Subodh Ghulaxe
  • 18,333
  • 14
  • 83
  • 102
  • 1
    you can check [PHP Session Security](http://stackoverflow.com/questions/328/php-session-security) and [Sessions and security ¶](http://php.net/manual/en/session.security.php) to see how to secure session – NullPoiиteя Feb 04 '13 at 06:04
  • 1
    also check [session_regenerate_id()](http://www.php.net/session_regenerate_id) – NullPoiиteя Feb 04 '13 at 06:06

1 Answers1

0

The session cookie will only be valid for the same domain that generated the cookie/started the session.

Although it will be possible for another php page to pick-up that session, it will only receive the cookie if it is served on the same domain, in which case it is 'part' of your website.

This should therefore not be a problem, because (unless you have a serious problem) only you will be able to add/upload php files to your website.

You should check where the session DATA is saved though. The default 'php' session settings in app/Config/core.php will write the session data to the session save path that is configured in php.ini. This may be a 'shared' directory that is accessible by other websites on the same server.

For better security, set the session configuration in app/config/core.php to 'cake'. This will write the session data to app/tmp/sessions which should only be accessible by your website.

thaJeztah
  • 27,738
  • 9
  • 73
  • 92