Attacker persuade you to use his session and wait until you log in Call %session_regenerate_id()% after login If cookies can be enforced, it's better to enable %session.use_only_cookies% Session Hijacking IP address can change from time to time Header %User-Agent% %session.use_trans_sid% - URLs stored: In browser history and cache In server log On other servers through %Referer% header On printed pages, ... %glob()% doesn't respect %open_basedir% http://php.vrana.cz/zabezpeceni-session-promennych.php