So I was doing some tests with the php session ID cookie. I know that data is st

Question

So I was doing some tests with the php session ID cookie. I know that data is stored on the server however, a cookie with a unique ID is stored so that the server can recognize the client while browsing. So, what happened is I got the ID of the cookie and opened firefox on a different computer, I edited that phpsession cookie to the id I had on the computer where I logged in... and bam, just as expected, I was logged in.

All I could do to patch was to check that the http user agent and the first three group of numbers (xxx.xxx.xxx.123) of the IP do not change (to avoid the dynamic IP problem). I want to know though if using a permanent HTTPS connection will make the content of the php session ID un-hijackable, like someone getting into my computer, grabing the cookie content, and using it for themselves.

Extra question, I know that security through obscurity is not good but is there a way of changing the cookie name to some acronym like ps or sid?

EDIT: I do not thing this question is a duplicate because on the linked question the process to set this flags and configuration values is not mentioned.

Explanation / Answer

The cookie is what identifies the session so if it is stealed the session is stealed. What you have to do is to protect the application and the cookie to avoid being hijacked.

- Use the HttpOnly flag
- Use HTTPS
- Use the secure flag
- Use the correct cache headers
- Don't use the cookie in the URL
- Use temporary cookies

In general, you can use the OWASP Testing Guide v4 to protect the whole application and thus protect the cookies.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.