Open reedy opened 10 months ago
The PHP session cookie should have the secure flag and possibly the HttpOnly flag too
secure
HttpOnly
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html https://owasp.org/www-community/HttpOnly
We can do this by slightly changing the session_start() call
session_start()
https://www.php.net/manual/en/function.session-start.php https://www.php.net/manual/en/session.configuration.php
session_start(['cookie_secure' => true, 'cookie_httponly' => true]);
We might want to set a lifetime too...
session_start(['cookie_lifetime' => 43200, 'cookie_secure' => true, 'cookie_httponly' => true]);
Might make sessions a bit more.. reliable?
The PHP session cookie should have the
secureflag and possibly theHttpOnlyflag toohttps://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html https://owasp.org/www-community/HttpOnly
We can do this by slightly changing the
session_start()callhttps://www.php.net/manual/en/function.session-start.php https://www.php.net/manual/en/session.configuration.php
We might want to set a lifetime too...
Might make sessions a bit more.. reliable?