Been working on a new site that will use browser's cookies to log in users. In layman's terms give me some tips on how to protect site's cookies/sessions from being hijacked. What are some common practices?
you should use secure cookies on your site and set http only,add limit of cookies these are the best practices.
I'd like to do it via htaccess, will this do the job? php_flag session.cookie_httponly on I also see that different php versions use different ways of doing that. What is common practice of setting a secure cookie in php 8?
To protect your site's cookies and sessions from hijacking, you can follow these tips: 1. Set HttpOnly and Secure Flags: Use `session.cookie_httponly`, which prevents JavaScript access to cookies, and `session.cookie_secure`, which ensures cookies are only sent over HTTPS. 2. Use SameSite Attribute: Set the SameSite attribute for cookies to prevent CSRF attacks. You can use `session_set_cookie_params(['samesite' => 'Strict']);` in PHP. 3. Regenerate Session IDs: Regenerate the session ID on login and at regular intervals using `session_regenerate_id()`. 4. Validate User Agents and IPs: Maintain a record of user agents and IPs to detect anomalies. In your `.htaccess`, you can add: php_flag session.cookie_httponly on php_flag session.cookie_secure on PHP: For PHP 8, you can set a secure cookie using: session_set_cookie_params([ 'lifetime' => 0, 'path' => '/', 'domain' => 'yourdomain.com', 'secure' => true, 'httponly' => true, 'samesite' => 'Strict' ]); PHP: Implementing these practices will help enhance the security of your cookies and sessions.