A blend of programming and seo

How to improve PHP session security

by Roy (rawseo)

Sessions in PHP are pretty easy to use. Here is a simple example on how to start a session:

<?php
session_start();
$_SESSION['my_variable'] = 'test';
?>

What is this actually doing?

PHP is an easy language to use and many details are hidden from the programmer. When you store variables in a session, a cookie is dropped on the user’s system (you don’t need to use cookies, but the details are the same) with a unique identifier (this is highly randomized and difficult to reproduce). All of the actual data is stored on your server in a file (which is the default) or a specific database table. The random/unique identifier stored in the user’s cookie is then used as a key to their data.

Insecurities

There are a couple of different ways someone could possibly get access to a session. They are:

  • Guessing the session identifier
  • Session hijacking
  • Session sniffing
  • Session storage

Guessing the session identifier: PHP’s built-in session id generator is very random and it is unlikely that someone would be able to guess it.

Session Hijacking:
A valid session id is all that is needed to successfully hijack a session. In order to improve this, we need to see if there is anything extra in an HTTP request that we can use for extra identification. At first glance, and IP address sounds like a good piece of information to use to identifier a user. However, since http is a stateless protocol, you may have users that have a different IP address with every request (I’m not sure how common this is these days, but I used to see this with visitors that were using AOL networks).

A better idea is to use something like the userAgent.

session_start();

if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) {
        //redirect user back to login page for authentication
       exit;
} else {
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

Session Sniffing: Cookies and all other information between a client and server are sent in clear text (meaning someone between a client and the server could grab info such as a session id). So, if are running a site that involves sensitive information, it’s always a good idea to use SSL.

Session storage: If you are on a shared web-server, anyone on the system could potentially access the data stored in your sessions (PHP by default stores all session data in files..usually in the /tmp directory).

An alternative to storing them on the filesystem is to store them in a database (I have written a simple class that does just this. You can download it here.

Also, if you are going to store sensitive data in your sessions, you might want to use a 2-way encryption library such as RC4 (available here)

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • Reddit
  • Twitter
  • HackerNews
  • StumbleUpon
  • Technorati

6 comments

1 EllisGL { 04.23.09 at 9:01 am }

My version is mostly the same, but just creates a new session.

// Secure the session.
if(isset($_SESSION['HTTP_USER_AGENT']))
{
if($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
session_regenerate_id();
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

2 How to improve PHP session security | A blend of programming and seo | Webmaster Tools { 04.23.09 at 10:38 am }

[...] View original here:  How to improve PHP session security | A blend of programming and seo [...]

3 Robert Hafner { 04.23.09 at 12:40 pm }

For reference, its not enough to just use SSL. You have to actually tell the session cookie that it needs to use SSL as well, using the “session_set_cookie_params” function.

This funciton takes give options- lifetime (defaults to the browser session), path (defaults to the current path, its sometimes useful to change this to ‘/’), the domain (useful if you want your session to work across subdomains), and finally the two we’re interested in- secure is a boolean telling the system whether to use SSL or not, and the final argument is a boolean to see if javascript should be able to access the session cookie (this is one of the most missed security features I’ve seen).

session_set_cookie_params(0, ‘/’, null, isset($_SERVER["HTTPS"]), true);

4 ??????? » [Web] ???? { 04.23.09 at 9:32 pm }

[...] How to improve PHP session security [...]

5 Wayne State Web Communications Blog » Blog Archive » [Friday Links] The Swine Edition { 05.01.09 at 7:50 pm }

[...] How to improve PHP session security | A blend of programming and seo [...]

6 Dr. ROX { 07.18.09 at 4:31 am }

There’s also session fixation attack, where hacker can write his own session ID to address bar, like site.com?sid=587395. You should use session_regenerate() after session_start()

Leave a Comment