Protecting Sessions

warozzo

Because of my lack knowledge in technical English, I still don't understand about session hijacking & fixation.

Have anybody enlightenment me about this, especially by this code I wrote below:

<?php
session_start();

if (!$_SESSION['auth'] == 1) { // '1' is OK to login
    header('login.php'); // go back to login page
    die();
} else {
?>
=== the protected page ===
<?php
}
?>

in the cookie, I only write username only without password.

How can I make this snippet safer?

Thx

warozzo

anyone?

bradgrafelman

Google'ing the terms should get you information on what they are, but basically to secure your sessions I would recommend you enable the "session.use_only_cookies" directive if it hasn't been already.

warozzo

bradgrafelman wrote:
Google'ing the terms should get you information on what they are, but basically to secure your sessions I would recommend you enable the "session.use_only_cookies" directive if it hasn't been already.

thank you for your answer.

I assume this is using ini_set function.

bradgrafelman

Yes, or, if PHP is installed as an Apache module, you can use "php_flag" in an .htaccess file at the root of your site.