-
Notifications
You must be signed in to change notification settings - Fork 343
How to secure sessions against session hijacking attacks
Miryafa edited this page Jul 18, 2016
·
2 revisions
Configure the Session Manager to help mitigate session hijacking attacks.
If you haven't already done so, add the session manager factory to your application via a module config or config/autoload file.
In the same file (or another file if you prefer), add the session_manager key and insert the session validators you wish to load. In this case we'll use both RemoteAddr and HttpUserAgent:
return [
'service_manager' => [
'factories' => [
'Zend\Session\ManagerInterface' => 'Zend\Session\Service\SessionManagerFactory',
],
],
'session_manager' => [
'validators' => [
'Zend\Session\Validator\RemoteAddr',
'Zend\Session\Validator\HttpUserAgent',
]
],
];
Alternatively, you could use an external module such as HtSession instead of a manual configuration.
NOTE: This does not really secure your session against hijacking attacks unless it's 1994. Please use HTTPS, secure cookies, HTTP only cookies, CSRF protection, credential re-entry and session regeneration to make sure your sessions are secure.