Technique
Defense
- • Call session_regenerate_id() after login
- • If cookies can be enforced, it's better to enable session.use_only_cookies
Session Variables
- • Session Hijacking
- • IP address can change from time to time
- • Header User-Agent
- • session.use_trans_sid - URLs stored:
- • In browser history and cache
- • In server log
- • On other servers through Referer header
- • On printed pages, ...
- • glob() doesn't respect open_basedir
