A McGraw Hill Book Plug-in PHP: 100 Power Solutions
By Robin Nixon (McGraw Hill 2010, ISBN 978-0071666596)

Home | About | Buy It | Download | Contact

Select Chapter: 1  2  3  4  5  6  7  8  9 10 11 12

Chapter 9: Plug-in 68 - Secure Session

If there's a way a hacker can break into your website you can bet they'll try. One trick they use is to hijack PHP sessions. There are different ways this might be achieved but the main security hole is when a hacker locates a site that passes the session ID in a GET URL tail. Given this information a hacker could start a session and then pass on the URL (including the session ID) in spam or other links. They could then go back and look for evidence of any of these links having being followed and, if the user hasn't logged out, they may be able to hijack the session and assume the user's identity. But by using this simple plug-in, tricks of that nature are rendered completely useless.

The Figure shows a session that is opened with PIPHP_OpenSession() and then tested with this plug-in for being secure.