How do i fix Session Fixation in PHP

Question

How do i fix Session Fixation in PHP/cakephp. I am on a shared host.

EDIT i am on a shared host how can i enable it if i dont have aces to php.ini

VolkerK · Answer 1 · 2010-09-19T13:21:16.067

6

Set session.use_only_cookies=true. It's harder with cookies than POST/GET parameters to inject and/or social-engineer a session id.
Set session.cookie_httponly=true. Not really because of session fixation but session hijacking ...anyway, there shouldn't be a good reason for a client-side script to be able to read the session id cookie.
Use session_regenerate_id() as often as you deem necessary; at minimum every time a login is attempted.

edited Sep 19 '10 at 13:21

answered Sep 19 '10 at 13:14

VolkerK

i am on a shared host how can i enable it if i dont have aces to php.ini – aWebDeveloper Sep 20 '10 at 08:08
2

Both session.use_only_cookies and session.cookie_httponly are markes as PHP_INI_ALL. I.e. you can set the values via ini_set(), before you call session_start(), _every time_ before you call session_start(). – VolkerK Sep 20 '10 at 08:21
If you are using mod_php in apache you should be able to set php values in .htaccess files, ex: php_value upload_max_filesize 2M – velcrow Sep 01 '11 at 05:12

1 Answers1