Session Fixation

November 26, 2003 - Posted by André Restivo

This entry was posted on Wednesday, November 26th, 2003 at 11:21 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Comments

  1. Sérgio Carvalho says:

    Bottom line. When logging in, destroy the previous session. For PHP:

    <?php
      session_id(md5(rand()));
      session_start();
      // Rest of login script
    ?>

    ... on July November 26th, 2003
  2. Andre Restivo says:

    In fact it’s even easier than that:
    bool session_regenerate_id ( void )

    ... on July November 26th, 2003
  3. Anonymous says:

    Except that session_regenerate_id (PHP 4 >= 4.3.2)

    ... on July December 7th, 2003

Post a Comment