0

I have read some security post on session. Although I configure most of it in php.ini in my shared host, some I can't.

1) I cannot find session.cookie_secure and session.cookie_httponly in my php.ini, since I'm still new to PHP I don't want to just add those two lines in the file without knowing any consequences. Alternatively, I used a approach by editing .htaccess. Not sure does it work or not.

IfModule php5_module<br>
php_flag session.cookie_secure on<br>
php_flag session.cookie_httponly on<br>
/IfModule<br><br>

Is this method alright?

2) Currently I am running version 5.3.28 and php.net stated session.entropy_file support many unix system but only start supporting Windows after 5.3.3 which exceed my version. The default php.ini has this:

;session.entropy_length = 16  
;session.entropy_file = /dev/urandom

Should I concern or am I worrying too much?

3) Should I use setcookie or setrawcookie?

4) I am following Securely creating and destroying login sessions in PHP for security, is there anymore I need to put into consideration?

Community
  • 1
  • 1
Andrew
  • 2,810
  • 4
  • 18
  • 32
  • Your `5.3.28` PHP version is newer than `5.3.3`. And yes, you can just add [any of the listed options](http://www.php.net//manual/en/session.configuration.php) to your `php.ini`. Also `setcookie()` has alternatively parameters for both. – mario Jun 17 '14 at 22:38

1 Answers1

1

1) Those should definitely be in your php.ini file, however they will be commented out meaning they start with a ; you need to uncomment them. If for some reason they aren't there (They will be) you can add them safely.

2) I would not start altering entropy values without a decent knowledge of cryptography and security, the defaults will be fine.

3) You should probably use setcookie() since it will URL encode, which you probably want.

4) Yes you need to take this into consideration, very much so. Security should never be an afterthought, read all the material in the post and if you don't understand it browse about a bit. There are plenty of excellent resources online and I really recommend reading through OWASP.

James Parker
  • 285
  • 3
  • 6
  • 17
  • I always wonder at what degree of security is consider enough...and secure enough from normal attack – Andrew Jun 18 '14 at 00:34
  • You have already fallen into a trap, "normal attack". Always presume an attacker will do anything in their power to compromise your website if they want to. Protecting against SQL Injection, Cross Site Scripting & Cross Site Request Forgery however will deter most automated scanners. Security is deep area and a profession in its own right; as a developer you should read as much as you can to establish secure coding practices. – James Parker Jun 18 '14 at 01:48