0

When i load my website then PHPSESSID is automatically set with value after login in the website the value is remain same

I want after login PHPSESSID will be change when user login in the website so that session hacking is not possible

ini_set('session.cookie_httponly', 1);
header('Pragma: no-cache');
header('Cache-Control: no-cache, must-revalidate, max_age=0');
header('Expires: 0');
session_start();
sumit kundan
  • 163
  • 2
  • 11
  • if you change the session id, then the session that the user have will be invalid and the user will be logged out – Artog Jul 18 '19 at 07:22
  • Also, if an attacker can get the session id before you're logged in, then they can also, probably, get the new one after. So it's not that good of a protection, given the effort required to change the id (you need to collaborate with the front end, i.e. the cookie, and backend to change it) – Artog Jul 18 '19 at 07:25
  • is there any way to cookie not shown on client desktop? – sumit kundan Jul 18 '19 at 07:31
  • No not really. Take a look at https://stackoverflow.com/questions/12233406/preventing-session-hijacking – Artog Jul 18 '19 at 07:35
  • PHPSESSID is not set automatically, you set it. So simply don't set it for unauthenticated users – Verim Jul 18 '19 at 07:41
  • I didn't set in my code – sumit kundan Jul 18 '19 at 08:47

0 Answers0