NYCPHP Meetup

[bzcoder]

Kristina Anderson wrote:
> That's what I want to do, but I need to prevent the value of session id 
> from changing if for some reason they revisit or refresh the index.php 
> page...as that is where the value is created.
>
> I've seen discussions on here about populating a hidden field and then 
> testing that to see if it's not empty as a way to handle this, I think. 
>
>   

Well, first off you can take a minimal step towards avoiding session 
fixation[someone sending someone to your website with a made up session 
id in the url, thus they now know what the session is] by using:

session_start();

if (!isset($_SESSION['initiated']))
{
    session_regenerate_id();
    $_SESSION['initiated'] = true;

}


from http://phpsec.org/projects/guide/4.html

This doesn't prevent all session fixation attacks, as the attacker can 
still initialize a legitimate session and then send the user to your 
site, but it does stop the easy ones - while at the same time solving 
your problem[when you create a session id on index.php you set a session 
variable. Than on subsequent loads of the index page, if that variable 
is set they will keep the same id they had].

You can also go further and whenever the person does something on the 
site that is meaningful[for example, adds something to the shopping 
cart] you can regenerate the session id, giving them a new one that now 
no attacker knows.

Since your putting some work into handling sessions, check out the rest 
of the page for how to deal with minimizing session hijacking as well.