Zend PHP 7 Certification – Security – Session Security

28th August 2017

This post covers the Session Security section of the PHP Security chapter when studying for the Zend PHP 7 Certification.

Additional measures should be taken by a developer to protect against session identity theft and preserve the confidentiality of a session.

There are lots of ways that a session ID can be leaked to third parties, including hijacking, when the session ID is stolen and it is the sole authentication of the website. Session fixation – When the user gets a fixed session ID (usually through a specifically crafted URL).

Sessions can also be stolen from JavaScript injection, attackers listening to non-secure network traffic (no SSL certificate) or physical access to your device.

Whilst it may sound like sessions are relatively easy for third parties to get hold of, there are some counter measures to massively reduce the risk and to keep the session data confidential.

As of PHP version 5.5.2, you can configure a session.use_strict_mode configuration directive within the php.ini file. When this is enabled, an uninitialised session ID is rejected and a new session ID is created, which prevents an attack that forces users to use known session ID.

Note that the above directive will not prevent an attacker from forcing a user to use initialised session IDs. The recommended procedure is to combine session.use_strict_mode with session_generate_id(), which will replace the current session ID with a new one but keep the current session information.

You can choose to delete the old session by adding the boolean parameter and setting it to true.

session_regenerate_id(true);

The preferred way of managing session IDs is with cookies. session.use_only_cookies specifies whether the module will only use cookies to store the session ID on the client side. Enabling this setting prevents attacks involved passing session IDs in URLs.

Access to the session cookie by scripting languages such as JavaScript can be prevented by using session.cookie_httponly in php.ini.

session.cookie_httponly = On

This marks the cookie as accessible only through the HTTP protocol and means that it won’t be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks

This can also be done the session_set_cookie_params() function passing in true as the fifth parameter.

session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);

A summary of recommended session security that should be taken can be seen below.

• Regenerate the session ID upon login, before authentication, using
  session_regenerate_id(true). Passing boolean true removes the
  old session and is critical as a counter measure.
• Regenerate the session ID prior to critical operations, such as logging into a page with sensitive information.
• Use SSL encryption for the login.
• Check that the IP address remains the same (although not always
  reliable).
• Use short session timeout.
• Provide user logout.
• Destroy and old and create a new session with session_regenerate_id(true).
• Set PHP configuration directive session.use_only_cookies = 1.
• Prevent JavaScript access to session cookie with PHP
  configuration directive session.cookie_httponly = 1.

HTTP session management is the core of web security, so ensure that you take the measures necessary to protect the session information.

View the other sections:

• Configuration
• Cross-Site Scripting
• Cross-Site Request Forgery
• SQL Injection
• Remote Code Injection
• Email Injection
• Input Filtering
• Escape Output
• Password Hashing API
• File Uploads
• Secure Socket Layer

Note: This article is based on PHP version 7.0.