Shaohua Huang
Reputation: 788
How to secure session_id?
I plan not to use HTTPS for my web app. I used digest authentication as method to secure login to my system. And after user being authenticated, I simply send nonce to them periodically(1 min). When users make request, I simply check whether the nonce expires before I send them response.
I want to know whether it is necessary for me to protect users session_id in case the attackers replay the nonce or guess out the nonce generation mechanism? And if yes, how do I secure the session_id?
Upvotes: 0
Views: 228
Answers (1)
Ikhlak S.
Reputation: 9034
Take a look at Session Hijacking and Fixation
The best solutions to Session Hijacking/Fixation is:
- Regenerate session identifier at key points. In your case after user login. So, after the user logins, we give him a new session identifier. So,in case a hacker hijacked the session id, it would be useless and would not work.
- Save User Agent/IP address and compare it against the User Agent/IP address used just before login. A hacker would not have the same User Agent/IP address as the legit user. But remember User Agent/IP address can sometimes be faked.
- Last but not the least, destroy old session regularly.
Keeping these in mind, your program will be safe from Session Hijacking/Fixation.
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- How can I sanitize user input with PHP?
- Secure hash and salt for PHP passwords
- If you can decode JWT, how are they secure?
- How do I expire a PHP session after 30 minutes?
- How can bcrypt have built-in salts?
- How to secure database passwords in PHP?
- How does the SQL injection from the "Bobby Tables" XKCD comic work?
- How should I ethically approach user password storage for later plaintext retrieval?