My website is built in PHP.I want to know how to test the session whether it is breaking or whether it is vulnerable to any security attacks. Is there any tool available or I have to do it manually ?
Asked
Active
Viewed 74 times
-1
-
What do you mean by "breaking"? – Barmar Nov 15 '12 at 08:01
-
some of our users have complained that they were logged in to a different user session.....thats what I meant by session breaking....suggest any help if you can... – Susant Palai Nov 15 '12 at 08:20
1 Answers
0
Can you provide more information ?
Session is store in your server , you can remote your server to view/destroy the session
but in programing you can check all session using
foreach ($_SESSION as $key=>$val)
echo $key." ".$val;
And for security issues
There are a couple of things to do in order to keep your session secure:
1.Use SSL when authenticating users or performing sensitive operations.
2.Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
3.Have sessions time out
4.Don't use register globals
5.Store authentication details on the server. That is, don't send details such as username in the cookie.
6.Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking.
7.You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
8.Lock down access to the sessions on the file system or use custom session handling
For sensitive operations consider requiring logged in users to provide their authenication details again
Leon Armstrong
- 1,285
- 3
- 16
- 41
-
Thanks Leon.....The problem is some users complained like they were directed in to some other user's session.So I want to know that what causes such activity.... – Susant Palai Nov 15 '12 at 08:22
-