I have a web application that will utilize standard PHP sessions (cookies + session stored on file system, etc).
What approaches are most recommended for limiting session fixation and hijacking threats? For example:
- php.ini settings?
- creating extra session tokens besides session_id?
Kind of a big topic... but any suggestions or links to get me started would be great.