-
Notifications
You must be signed in to change notification settings - Fork 16
How to secure sessions against session hijacking attacks
Eric Richer edited this page Dec 4, 2020
·
1 revision
Configure the Session Manager to help mitigate session hijacking attacks.
If you haven't already done so, add the session manager factory to your application via a module config or config/autoload
file.
In the same file (or another file if you prefer), add the session_manager
key and insert the session validators you wish to load. In this case we'll use both RemoteAddr
and HttpUserAgent
:
return [
'service_manager' => [
'factories' => [
'Laminas\Session\ManagerInterface' => 'Laminas\Session\Service\SessionManagerFactory',
],
],
'session_manager' => [
'validators' => [
'Laminas\Session\Validator\RemoteAddr',
'Laminas\Session\Validator\HttpUserAgent',
]
],
];
Alternatively, you could use an external module such as HtSession
instead of a manual configuration.
NOTE: This does not really secure your session against hijacking attacks unless it's 1994. Please use HTTPS, secure cookies, HTTP only cookies, CSRF protection, credential re-entry and session regeneration to make sure your sessions are secure.