Avoid predictable or user-supplied session IDs | Critiq Docs

#Metadata

Rule ID: php.security.insecure-session-id-generation
Severity: high
Confidence: 0.88
Languages: php
Presets: security, strict
Stability: stable
Applies to: block
Tags: php, rules-catalog, security, session

#Why it matters

Predictable or attacker-controlled session identifiers enable fixation and session hijacking.

#Remediation

Let PHP generate session identifiers with session_start, or use random_bytes and bin2hex for custom IDs.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.insecure-session-id-generation.rule.yaml.

Back to directory Open rule in repository