Author: Admin 02/17/2022
Language: Plain Text
Tags: php manual cookie securing session
By securing session related INI settings, developers can improve session security. Some important INI settings do not have any recommended settings. Developers are responsible for hardening session settings.
0 possesses a particular meaning. It informs browsers not to store the cookie to permanent storage. Therefore, when the browser is terminated, the session ID cookie is deleted immediately. If developers set this other than 0, it may allow other users to use the session ID. Most applications should use "
0" for this.
If an auto-login feature is required, developers must implement their own secure auto-login feature. Do not use long life session IDs for this. More information can be found above in the relevant section.
session.use_only_cookies=Off, the session module will use the session ID values set by GET/POST/URL provided the session ID cookie is uninitialized.
session.use_strict_mode is mandatory for secure sessions. It is disabled by default.
This prevents the session module to use an uninitialized session ID. Put differently, the session module only accepts valid session IDs generated by the session module. It rejects any session ID supplied by users.
session.use_strict_mode can prevent an attacker initialized session ID of being used.
Read More: PHP: Securing Session INI Settings - Manual