This post covers the Session Security section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Additional measures should be taken by a developer to protect against session identity theft and preserve the confidentiality of a session.
There are lots of ways that a session ID can be leaked to third parties, including hijacking, when the session ID is stolen and it is the sole authentication of the website. Session fixation – When the user gets a fixed session ID (usually through a specifically crafted URL).
Whilst it may sound like sessions are relatively easy for third parties to get hold of, there are some counter measures to massively reduce the risk and to keep the session data confidential.
As of PHP version 5.5.2, you can configure a
session.use_strict_mode configuration directive within the
php.ini file. When this is enabled, an uninitialised session ID is rejected and a new session ID is created, which prevents an attack that forces users to use known session ID.
Note that the above directive will not prevent an attacker from forcing a user to use initialised session IDs. The recommended procedure is to combine
session_generate_id(), which will replace the current session ID with a new one but keep the current session information.
You can choose to delete the old session by adding the boolean parameter and setting it to
The preferred way of managing session IDs is with cookies.
session.cookie_httponly = On
This can also be done the
session_set_cookie_params() function passing in true as the fifth parameter.
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
A summary of recommended session security that should be taken can be seen below.
session_regenerate_id(true). Passing boolean
session.use_only_cookies = 1.
session.cookie_httponly = 1.
HTTP session management is the core of web security, so ensure that you take the measures necessary to protect the session information.
View the other sections:
Note: This article is based on PHP version 7.0.