186
seCure develoPment For mobIle APPs
thedamage. isisonereason re-authenticate on privilege elevation is a best
practice. Re-authentication stops an attacker before they can change user data.
Enable HTTP Only and Secure Cookies via PHP Two other critical settings that help
prevent session ID hijacking are making sure that the cookie is only sent over SSL
and that cookies are only handled by the browser and sent in HTTP headers.
e first measure, ensuring that the cookie is only sent over HTTPS/SSL means
just that. If a user visits a public page over HTTP on the site, the session cookie will
not be sent. is prevents the cookie from being intercepted in the clear. is can be
checked by looking at the $_COOKIE array during an HTTP request. ...