How to Limit Session Hijacking Threat?

software development

#1

I have a web application that will utilize standard PHP sessions (cookies + session stored on file system, etc).

What approaches are most recommended for limiting session fixation and hijacking threats? For example:

  • php.ini settings?
  • creating extra session tokens besides session_id?
  • etc.

Kind of a big topic… but any suggestions or links to get me started would be great.

Thanks.


#2

http://phpsec.org/projects/guide/5.html

Jw