首先，你应该阅读 Mozilla的WebAppSec防伪编码指南 - 会话管理和 OWASP A3残破的认证和会话管理的。您可以配置PHP的会话处理来满足这些要求。

First of all you should read the Mozilla WebAppSec Security Coding Guideline - Session Management and OWASP A3-Broken Authentication and Session Management. You can configure PHP's session handler to meet these requirements.

您应该prevent第一个缺陷是A9-Insufficient传输层保护。总之，你不希望有人使用像Firesheep 工具劫持会话。这种攻击可以通过强制浏览器只发送会话ID通过HTTPS pvented $ P $：

The first flaw you should prevent is A9-Insufficient Transport Layer Protection. In short you do not want someone to hijack a session using a tool like Firesheep. This attack can be prevented by forcing the browser to only send the session id over https:

session.cookie_secure=1

您可以prevent通过设置的HttpOnly标志：

You can prevent an attacker from obtaining the session id using XSS by setting the httponly flag:

session.cookie_httponly=1

您的总是想用一个cookie来存储您的会话ID。如果会话ID可以使用GET或POST变量来传递攻击者可以使用会话固定攻击劫持会话。思考这个攻击的另一种方法是，你不希望攻击者能够为其他用户创建一个会话：

You always want to use a cookie to store your session id. If the session id can be passed using a GET or POST variable then an attacker could use Session Fixation attack to hijack a session. Another way of thinking about this attack is that you don't want an attacker to create a session for another user:

session.use_cookies=1
session.use_only_cookies=1

接下来，你要确保你有熵ATLEAST 128位来自CSPRNG。在* nix系统可以使用的/ dev / urandom的：

session.entropy_file="/dev/urandom"
session.entropy_length=16

会话处理程序是不是一切。你仍然需要担心跨站请求伪造攻击（又名CSRF或会话骑马），以及跨上门脚本（XSS）。 XSS可用于战胜CSRF保护（即使使用http_only饼干！）。 点击劫持也可以被攻击者用来执行未经授权的操作。

The session handler isn't everything. You still need to worry about Cross-Site Request Forgery attacks (aka CSRF or "Session Riding"), and Cross-Site Scripting (XSS). XSS can be used to defeat CSRF protection (even with http_only cookies!). Clickjacking can also be used by an attacker to perform unauthorized actions.

在您设置这些配置选项，只需拨打在session_start（）。至于破坏会议呼叫 session_destroy（）当用户注销时，它就是这么简单！

After you set these configuration options, just call session_start(). As for destroying the session call session_destroy() when the user logs out, its that simple!