On Jul 19, 2006, at 5:05 PM, [EMAIL PROTECTED] wrote: > I'm not sure if Cake does anything to mitigate this risk, or how much > of a risk it actually is. I'd like to hear more about it myself, if > someone is more knowledgeable about how sessions work.
Set CAKE_SECURITY to 'high' in core.php to have the session ID regenerated between requests. This makes it much harder for someone to hijack sessions. Besides this, I'm pretty sure there are php.ini settings that help in avoiding hijack problems (trans_sid comes to mind). If the ID can only come from the cookie, it would be harder to hijack. -- John --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
