Jump to content

Search the Community

Showing results for tags 'sec_session_start'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (PhpStorm, VS Code, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Age


Donation Link

Found 2 results

  1. Hi all, I have been coding in php now for almost an year but yet i feel like a newbie when it comes to sessions !! That's an honest confession. Like many newcomers I too came across the sec_session_start() which is a common function that is easily found on the net for people looking for a secure login script. Here is the function: function sec_session_start() { $session_name = 'secure_session_main'; // Set a custom session name $secure = false; // Set to true if using https. $httponly = true; // This stops javascript being able to access the session id. ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. $cookieParams = session_get_cookie_params(); // Gets current cookies params. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); // Sets the session name to the one set above. session_start(); // Start the php session session_regenerate_id(TRUE); // regenerated the session, delete the old one. } I used it in my login page and on the other pages of my application. It seemed to work fine and then it started to create problems. I wrote about it on this forum. Every time I would click on a button or a link on my page, i would get logged out. I discussed that issue on this forum but no solution was found. Then I found that if I removed the (TRUE) from the session_regenerate_id(), things became fine. So I removed the TRUE and proceeded wanting to come back here at a later time like now. I was actually quite pleased that I had found a solution to my problem. But now while reading more on session_regenerate_id, I came across a number of articles that said that not using session_regenerate_ID with the argument TRUE is not effective in preventing session hijacking or was it session fixation. The articles pointed as also some of the answers to the questions in the forums that session_regenerate_id should be used only when 1. logging in, 2. logging out & 3. when privileges change. However I am using this sec_session_start on each and every page of my application instead of using session_start() and I want to use this function to use the session_regenerate_id(TRUE) since that it seems is more effective against the session attacks. The latest issue that I have encountered is the generation of an error message that says " session_regenerate_id(true) failed. I would like to ask if I my using the sec_session_start() on each and every page is incorrect & too oft used usage of the function. In that case what should I use on the beginning of each of those pages to start a session? I would like to know if there is any flaw in my thought process above? And anything else related that would shed some more light on using the session_regenrate_id(TRUE) in the above function. Basically the right way to initiate a new session securely . PS - my program seems to work correctly otherwise. Even when the error is generated "session_regenerate_id(true) failed", the variables in the application remain intact and save properly. If I remove the (TRUE) all problems seem to cease but then, like I mentioned above, the discussions I have read say that that usage is ineffective against session attacks. Thanks loads.
  2. Hi all ! I came across sec_session_start() function to start a secure session and I have used it. However I have come across so many comments on the usage of this function recently many of which suggest that this is quite useless, an overkill etc. etc. and that using Https is the best option and there too there are opinions that it has its own overheads and so on. So I would like to ask what purpose does this function serve? How good is it really? Should we use it or not? The most controversial part of this function seems to be the session_regenarate_id() which seems to create unwanted logouts and lost sessions. While this is apparently supposed to be used to prevent session hijacking or session fixation, I have again come across comments which say it is not advisable to use this function. Like it's of no use to deploy this function and should be avoided. Here is the function as I use it. function sec_session_start() { $session_name = 'sec_session_id'; $secure = false; // Set to true if using https. $httponly = true; ini_set('session.use_only_cookies', 1); $cookieParams = session_get_cookie_params(); session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); session_start(); // Start the php session session_regenerate_id(); // regenerated the session } And I use it on all the pages at the very top. It seems to work fine. I would be very happy to know the truth about this function and its usage. Thanks loads.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.