Archive for the tag 'session.cookie_httponly'

PHP hardening using session.cookie_httponly & session.referer_check

PHP hardening using session.cookie_httponly & session.referer_check

session.cookie_httponly

Setting this value to 1 prevents JavaScript from accessing PHP session cookies. This can help prevent attackers from stealing session cookies. However, you may be unable to use this directive if your users utilize PHP session cookies via JavaScript.

session.referer_check

This parameter allows PHP to check HTTP referrer values. This allows you to specify a domain, ensuring that session information is only passed internally during the time a user is working with a web application. This will prevent your users from accidentally exposing session information that may allow malicious users to follow links and steal a session.