Session hijacking and PHP

security php session session-hijacking

Lets just consider the trust that the server have with the user.

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)

Session sidejacking: SSL encryption for the entire site.

Am I safe ?


Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".

You should use this code in a php header file:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).


I would also suggest storing the user agent and ip information in the session, and verifying it on each request. It's not bullet-proof, but it is a fairly significant increase in robustness. While UA forging is really easy, IP forging, while possible, is MUCH harder... But you may have issues with users who are behind a round-robin IP system such as AOL users...

Related

Getting all visible text from a webpage using Selenium
Multicolumn index on 3 fields with heterogenous data types
Is there any option for local database like Sqlite for j2me - CLDC devices?
How to execute Python script from Java (via command line)?
Can AJAX request data from a remote server?
dynamic memory for 2D char array
MS Chart Control Two Y Axis
How can I use my sql knowledge with Cloudant/CouchDB?
Sending columns of a matrix using MPI_Scatter
What is a spectrogram and how do I set its parameters?
C++ type registration at compile time trick
Get variable from PHP file using JQuery/AJAX