Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?
- /* In a nutshell, this is a quick way to ensure your sessions are difficult to attack. There may be
- * ways to improve this configuration but it's a good starting point, I feel.
- *
- * Code released in accordance with the ZAP > http://tlwsd.info/LICENSE.txt
- *
- * Requirements: HTTPS (get a free cert from StartSSL.com if you have no money :P)
- * A well-configured webserver (see: Calomel.org)
- * Access to server config is a bonus because you can just change php.ini and not have to make a bunch of runtime calls to ini_set() thus boosting performance
- */
- ini_set('session.cookie_httponly', true);
- # Above: Tells the user's browser to not expose session cookie contents to Javascript
- ini_set('session.cookie_secure', true);
- # Above: Tells the user's browser to not expose session cookie contents to unencrypted HTTP
- ini_set('session.entropy_file', '/dev/urandom'); // On BSD systems, you may wish to use use /dev/arandom
- ini_set('session.entropy_length', '32');
- ini_set('session.hash_function', 'sha256');
- ini_set('session.hash_bits_per_character', '6');
- # Above: Use strong pseudorandom data in the session IDs to prevent session fixation
- ini_set('session.use_trans_sid', false);
- session_start();
- // All configuration must be set before session_start();
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
