This is hard to battle, but one convenient way to make it harder for attackers is to change the session ID whenever something "important" happens, such as the user signing in. For instance, Amazon requires users who are already authenticated with their cookie to sign in again when they want to order something.
Changing the Session ID
<?php ob_start(); session_start(); echo 'Old: ' . session_id(); session_regenerate_id(); echo '<br />New: ' . session_id(); ob_end_flush(); ?>
In this case, the function
session_regenerate_id() just changes the current session ID but leaves all data intact. This is shown in the preceding code, in which the current session ID (both old and new) is retrieved using the
session_id() function. Figure shows a possible output of this script.
Two session IDs, one is old and one is new.
This code uses output buffering
session_regenerate_id() must also be called before any HTML output is sent to the client.