I have read some security post on session. Although I configure most of it in php.ini in my shared host, some I can't.
1) I cannot find session.cookie_secure and session.cookie_httponly in my php.ini, since I'm still new to PHP I don't want to just add those two lines in the file without knowing any consequences. Alternatively, I used a approach by editing .htaccess. Not sure does it work or not.
IfModule php5_module
php_flag session.cookie_secure on
php_flag session.cookie_httponly on
/IfModule
Is this method alright?
2) Currently I am running version 5.3.28 and php.net stated session.entropy_file support many unix system but only start supporting Windows after 5.3.3 which exceed my version. The default php.ini has this:
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
Should I concern or am I worrying too much?
3) Should I use setcookie or setrawcookie?
4) I am following Securely creating and destroying login sessions in PHP for security, is there anymore I need to put into consideration?