<?
/* In a nutshell, this is a quick way to ensure your sessions are difficult to attack. There may be
* ways to improve this configuration but it's a good starting point, I feel.
*
* Code released in accordance with the ZAP > http://tlwsd.info/LICENSE.txt
*
* Requirements: HTTPS (get a free cert from StartSSL.com if you have no money :P)
* A well-configured webserver (see: Calomel.org)
* Access to server config is a
bonus because you can just change php.ini and not have to make a bunch
of runtime calls to ini_set() thus boosting performance
*/
ini_set('session.cookie_httponly', true);
# Above: Tells the user's browser to not expose session cookie contents to Javascript
ini_set('session.cookie_secure', true);
# Above: Tells the user's browser to not expose session cookie contents to unencrypted HTTP
ini_set('session.entropy_file', '/dev/urandom'); // On BSD systems, you may wish to use use /dev/arandom
ini_set('session.entropy_length', '32');
ini_set('session.hash_function', 'sha256');
ini_set('session.hash_bits_per_character', '6');
# Above: Use strong pseudorandom data in the session IDs to prevent session fixation
ini_set('session.use_trans_sid', false);
session_start();
// All configuration must be set before session_start();
?>
0 komentar:
Posting Komentar