Encrypting Session ID

Question

Possible Duplicate:
What is the best way to prevent session hijacking?
Is encrypting session id (or other authenticate value) in cookie useful at all?

My session handler stores the session ID in a cookie and returns the value of the cookie to use as a reference to the database.

My question is short and simple. Should I encrypt the session ID in the cookie or would this be pointless?

Thanks! :)

In order to prevent session fixation/hijacking. I'm not sure if it's necessary/will do any good though. :s — user1813383, Nov 11 '12 at 20:34
It is pointless. See a [related answer](http://stackoverflow.com/a/22913/198536). — wallyk, Nov 11 '12 at 20:35
The cookie value being returned from the client to the server is plain text, unencrypted. So your encryption will not do any good. The exception is if the request is via https, in which case you don'e need to encrypt anyway. — Jonathan M, Nov 11 '12 at 20:35

score 5 · Accepted Answer · answered Nov 11 '12 at 20:39

5

This is totally pointless. Even if you encrypt your session id, an encrypted version will be sent to your server via cookie. If someone wants to hijack it he will steal that encrypted session id and send it to your server. Your server will happily decrypt it.

answered Nov 11 '12 at 20:39

Shiplu Mokaddim

54,465
14
131
183

Awesome, thanks! Will accept your answer in 4 minutes. :) – user1813383 Nov 11 '12 at 20:43

Encrypting Session ID

1 Answers1