SaranacLake Posted August 9, 2020 Share Posted August 9, 2020 For PHP 7.4, what is the recommended session length that I should be using to have the best security? In DEV< in my php.ini file, session.sid_length = 26 According to the comments above that, it sounds like you can go up to 256. Is it fair to assume that larger is more secure? Also, if I set it to a larger size like 256, is tehre any risk of breaking things on my (VPS) web server running WHM/cPanel? Quote Link to comment Share on other sites More sharing options...
requinix Posted August 9, 2020 Share Posted August 9, 2020 The length of the session ID isn't even remotely as important as what you do with your sessions in code. Focus on that instead. Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted August 9, 2020 Author Share Posted August 9, 2020 9 hours ago, requinix said: The length of the session ID isn't even remotely as important as what you do with your sessions in code. Focus on that instead. When I was searching last night for what the length might be, and where to find it, I saw an article by OWASP saying that your session id should be at least 128 bytes long to prevent against brute-force attacks, although I didn't read the article. Would it hurt to change my php.ini file to have session.sid_length = 256 ? Quote Link to comment Share on other sites More sharing options...
SaranacLake Posted August 9, 2020 Author Share Posted August 9, 2020 It look like 32 or 64 might be the way to go... https://www.php.net/manual/en/session.configuration.php https://www.php.net/manual/en/session.security.ini.php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.