Last active
March 20, 2025 22:08
-
-
Save putWorkDev/5942093585bf792db392 to your computer and use it in GitHub Desktop.
Revisions
-
putWorkDev revised this gist
Oct 21, 2015 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,4 +16,9 @@ session.cookie_httponly = 1 ; that PHP only uses cookies for ; sessions and disallow session ; ID passing as a GET parameter: session.use_only_cookies = 1 ; PHP has ini setting to ensure session ; cookies are only sent over secure ; connections: session.cookie_secure = 1 -
Oct 21, 2015 . 1 changed file with 10 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,10 +2,18 @@ ; /etc/php5/cli/php.ini ; /etc/php5/apache2/php.ini ; By specifying the HttpOnly flag when ; setting the session cookie you can ; tell a users browser not to expose ; the cookie to client side scripting ; such as JavaScript. This makes it ; harder for an attacker to hijack ; the session ID and masquerade as ; the effected user. session.cookie_httponly = 1 ; It is also a good idea to make sure ; that PHP only uses cookies for ; sessions and disallow session ; ID passing as a GET parameter: session.use_only_cookies = 1 -
Oct 21, 2015 . 1 changed file with 11 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,11 @@ ; Edit next files: ; /etc/php5/cli/php.ini ; /etc/php5/apache2/php.ini session.cookie_httponly = 1 ; It is also a good idea to make sure ; that PHP only uses cookies for ; sessions and disallow session ; ID passing as a GET parameter: -
Oct 21, 2015 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,4 +8,8 @@ ini_set('session.use_only_cookies', 1); // Uses a secure connection (HTTPS) if possible ini_set('session.cookie_secure', 1); // OR if u want to add directly to setcookie function setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL); ?> -
Oct 21, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ With .htaccess just need to add these flags: php_value session.cookie_httponly 1 php_value session.cookie_secure 1 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,11 @@ <?php // **PREVENTING SESSION HIJACKING** // Prevents javascript XSS attacks aimed to steal the session ID ini_set('session.cookie_httponly', 1); // **PREVENTING SESSION FIXATION** // Session ID cannot be passed through URLs ini_set('session.use_only_cookies', 1); // Uses a secure connection (HTTPS) if possible ini_set('session.cookie_secure', 1);