How to encrypt session id in cookie?

Moon picture Moon · Apr 11, 2010 · Viewed 14.7k times · Source

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.

As far as I know, when I start a session by calling session_start(), PHP does not encrypt session id value in a cookie.

How do I encrypt session id value and then initialize session with it?

Answer

Matthew Flaschen picture Matthew Flaschen · Apr 11, 2010

Encrypting won't help. The session cookie is just a magic number anyway. Encrypting it just means there's a different magic number to hijack. Depending on what hijacking scenarios you have in mind, there are other possible mitigations. For example, you can limit sessions to a single IP. That poses some issues though, e.g. people switching between wireless points.