SecureCloud-biz
7/12/2014 - 11:02 PM

PHP_Server_Generated_SESSION

PHP_Server_Generated_SESSION

<?php
//   [Accept only server-generated SIDs]
//   One way to improve security is not to accept session identifiers that were not generated by the
//   server. However, as noted above, this does not prevent all session fixation attacks.
 
if (!isset($_SESSION['SERVER_GENERATED_SID'])) {
   session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;
 
 
//   [Logout function]
//   A logout function is useful as it allows users to indicate that a session should not allow further
//   requests. Thus attacks can only be effective while a session is active. Note that the following
//   code performs no Cross-site request forgery checks, potentially allowing an attacker to force users
//   to log out of the web application.
 
if ( logout )
   session_destroy(); // destroy all data in session
 
?>