I need to create a very strong and secure session using PHP and Mysql. I'm reading the following guide: Create a Secure Session Management System in PHP and MySQL; it is secure and solid? Please post the best method to secure a session.
At the moment the security is granted by this little script based on the guide above, but i know is not so secure, please help me to improve it:
function sec_session_start() {
$session_name = "";
$secure = true; // Imposta il parametro a true se vuoi usare il protocollo 'https'.
$httponly = true; // Questo impedirà ad un javascript di essere in grado di accedere all'id di sessione.
ini_set('session.use_only_cookies', 1); // Forza la sessione ad utilizzare solo i cookie.
$cookieParams["lifetime"] = 1440;
$cookieParams = session_get_cookie_params(); // Legge i parametri correnti relativi ai cookie.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Imposta il nome di sessione con quello prescelto all'inizio della funzione.
session_start(); // Avvia la sessione php.
session_regenerate_id(true); // Rigenera la sessione e cancella quella creata in precedenza.
}
My server is now a simple machine with Ubuntu, I installed only a few programs like apache, php5, mysql, phpmyadmin and webmin. Currently is active access via ssh and I think this can generate problems for safety, but for the moment, the project is not launched and then there aren't these type of problems. I'm using PDO for all SQL scripts.
More than anything I need information on how to improve the security of sessions in PHP because in my opinion these are the most at risk for the moment. I'm also trying to optimize the script against SQL injection, brute force attack, and DDos.