This post covers the Session Security section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Additional measures should be taken by a developer to protect against session identity theft and preserve the confidentiality of a session.
There are lots of ways that a session ID can be leaked to third parties, including hijacking, when the session ID is stolen and it is the sole authentication of the website. Session fixation – When the user gets a fixed session ID (usually through a specifically crafted URL).
Sessions can also be stolen from JavaScript injection, attackers listening to non-secure network traffic (no SSL certificate) or physical access to your device.
Whilst it may sound like sessions are relatively easy for third parties to get hold of, there are some counter measures to massively reduce the risk and to keep the session data confidential.
As of PHP version 5.5.2, you can configure a session.use_strict_mode
configuration directive within the php.ini
file. When this is enabled, an uninitialised session ID is rejected and a new session ID is created, which prevents an attack that forces users to use known session ID.
Note that the above directive will not prevent an attacker from forcing a user to use initialised session IDs. The recommended procedure is to combine session.use_strict_mode
with session_generate_id()
, which will replace the current session ID with a new one but keep the current session information.
You can choose to delete the old session by adding the boolean parameter and setting it to true
.
session_regenerate_id(true);
The preferred way of managing session IDs is with cookies. session.use_only_cookies
specifies whether the module will only use cookies to store the session ID on the client side. Enabling this setting prevents attacks involved passing session IDs in URLs.
Access to the session cookie by scripting languages such as JavaScript can be prevented by using session.cookie_httponly
in php.ini
.
session.cookie_httponly = On
This marks the cookie as accessible only through the HTTP protocol and means that it won’t be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks
This can also be done the session_set_cookie_params()
function passing in true as the fifth parameter.
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
A summary of recommended session security that should be taken can be seen below.
session_regenerate_id(true)
. Passing boolean true
removes thesession_regenerate_id(true)
.session.use_only_cookies = 1
.session.cookie_httponly = 1
.HTTP session management is the core of web security, so ensure that you take the measures necessary to protect the session information.
View the other sections:
Note: This article is based on PHP version 7.0.