PHP Classes

Secure Session: Prevent session hijacking or session fixation

Recommend this page to a friend!
  Info   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum (21)   Blog    
Ratings Unique User Downloads Download Rankings
StarStarStarStar 62%Total: 13,512 All time: 79 This week: 71Up
Version License Categories
secure_session 1.0.0GNU General Publi...User Management, Security


This class can be used to prevent security attacks known as session hijacking and session fixation.

When a session is initialized the class computes a fingerprint string that takes in account the browser user agent string, the user agent IP address or part of it and a secret word. If the fingerprint value changes, it is very likely that the session was hijacked and it should no longer be accepted.

To prevent session fixation attacks the calls the PHP session_regenerate_id() function so the session identifier changes everytime the session is checked.

Innovation Award
PHP Programming Innovation award nominee
January 2006
Number 2

Prize: One book of choice by O'Reilly
Sessions have become one of possible features that can be exploited to perform security attacks to PHP sites.

Sessions are not insecure by themselves, but if they are not used with a certain care, they may be eventually abused by malicious users.

Session hijacking abuses can happen when somebody with privileged network access can sniff traffic that goes to potential victim site. Session fixation abuses can happen when a site uses the same session identifier for the same user before and after he authenticates to log in.

This class provides a solution to prevent these kinds of session abuses to prevent that PHP sites that use sessions become compromised.

Manuel Lemos
Picture of Vagharshak Tozalakyan
Name: Vagharshak Tozalakyan <contact>
Classes: 22 packages by
Country: United States United States
Age: 44
All time rank: 61 in United States United States
Week rank: 71 Down8 in United States United States Down
Innovation award
Innovation award
Nominee: 7x

  Files folder image Files  
File Role Description
Files folder imagesample (2 files)
Plain text file securesession.class.php Class Source

  Files folder image Files  /  sample  
File Role Description
  Accessible without login Plain text file index.php Example Sample
  Accessible without login Plain text file login.php Example Sample

 Version Control Unique User Downloads Download Rankings  
This week:0
All time:79
This week:71Up
User Ratings User Comments (7)
 All time
absolutely great wordk.
13 years ago (Can Berk)
Not the most secure way of doing things possible, but provide...
13 years ago (troy knapp)
just wanted to say thanks for sharing the hard work(& update)!
13 years ago (James S)
Very nicely done.
15 years ago (Michael A. Peters)
does not properly handle users behind proxy servers
16 years ago (david saez)
Great script.
16 years ago (Dennis Granger)
16 years ago (calvin)