Session management is core of web security. Users should ensure that several practices are in place to protect against session identity theft.
There are a couple of ways that session security can be compromised:
Luckily there are some counter measure to prevent these things from happening by adding configuration within the php.ini file.
We can add either of the following:
session.use_cookies = 1
session.use_only_cookies = 1
session.use_cookies specifies whether the module will use cookies to store the session id on the client side.
session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs.
Cookies are the preferred way to manage session IDs.
A session can be regenerated using the session_regenerate_id() function:
session_regenerate_id();
This will replace the current session id with a new one, and keep the current session information.
You can choose to delete the old session by adding the boolean parameter and setting it to true:
session_regenerate_id(true);
Access to session cookie by scripting languages such as JavaScript can be prevented by using the session.cookie_httponly configuration.
session.cookie_httponly = On
Marks the cookie as accessible only through the HTTP protocol. This means that the cookie won’t be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks
This can also be done the session_set_cookie_params() function passing in true as the fifth parameter.
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
Some basic session security measures should also be followed:
Note: This article is based on PHP version 5.5.