Kristina Anderson wrote:
That's what I want to do, but I need to prevent the value of session id
from changing if for some reason they revisit or refresh the index.php
page...as that is where the value is created.
I've seen discussions on here about populating a hidden field and then
testing that to see if it's not empty as a way to handle this, I think.
Well, first off you can take a minimal step towards avoiding session
fixation[someone sending someone to your website with a made up session
id in the url, thus they now know what the session is] by using:
session_start();
if (!isset($_SESSION['initiated']))
{
session_regenerate_id();
$_SESSION['initiated'] = true;
}
from http://phpsec.org/projects/guide/4.html
This doesn't prevent all session fixation attacks, as the attacker can
still initialize a legitimate session and then send the user to your
site, but it does stop the easy ones - while at the same time solving
your problem[when you create a session id on index.php you set a session
variable. Than on subsequent loads of the index page, if that variable
is set they will keep the same id they had].
You can also go further and whenever the person does something on the
site that is meaningful[for example, adds something to the shopping
cart] you can regenerate the session id, giving them a new one that now
no attacker knows.
Since your putting some work into handling sessions, check out the rest
of the page for how to deal with minimizing session hijacking as well.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
