Secure PHP sessions?
Note: This article contains slightly outdated code. For some more up-to-date PHP snippets take a look here
Todays post will be about security, again. Most fresh developers don't focus on security when they develop applications. Many of them don't eaven know what threats that are out there.
My focusing on secure PHP sessions started with a disussion on a norwegian PHP IRC channel. One of my fellow chatters stated that if a session key was disclosed, hijacking the session would be easy as pie, just create a cookie containing the key.
I replyed (mabye jumping in water way over my head) that if that was the case, the application was poorly written. And in my oppinion, I still think this is the case. Altough it's not possible to be 100% secure, there are some methods that will improve the security of your application.
Changing the session key
This is important, in my oppinion you should change the session key for each new request the user makes. If a someone should get the hold of a session key, most likely it will be expired.
< ?php
session_start();
echo "Old session ID: ".session_id();
// copy the old session data
$oldSessionData = $_SESSION;
// destroy and recreate the session
session_destroy();
session_start();
// copy the data back to the session
$_SESSION = $oldSessionData;
echo "New session ID: ".session_id();
?>
This script will return something like this:
27981ed0f35f1f8998037fd60ec56
New session ID: ff627981ed0f35f1f8998037fd60ec56
Let us assume that a hacker would find a users session key. If the user has made another request to the server, the key the hacker holds will be useless.
Checking the user-agent
The user-agent is an indentification string sendt by the browser when it requests a page. Although I don't think you should trust HTTP headers sendt by the client, I feel that checking the user-agent for changes should be done. And it requires more work from the hacker to successfully hijack a session.
< ?php
if(!isset($_SESSION['ua'])) {
$_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
} else {
if($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT'])) {
echo "Your user-agent has changed, please login again.";
session_destroy();
exit(0);
}
}
?>
Checking the IP address
Checking the IP address can be done the same way as checking the user-agent, but in my oppinon the user should be able to disable this check upon login, since many users are behind proxy servers, and therefore their IP address could change during the session.
Using Secure Socket Layer
Secure Socket Layer (SSL) is used to encrypt the HTTP traffic between the server and the client. It requires some work from the server administrator to enable, but will boost the security alot. This will prevent a hacker from listening to your HTTP traffic, and stealing your session id or other sensitive information.
Teaching the user to log out
The log out link is there for a reason. When you push it, all session data should be removed, and a hacker will not (should not) be able to continue the session no matter what.
Search
Archive
- December 2011 (5)
- August 2011 (1)
- July 2011 (2)
- March 2011 (1)
- February 2011 (2)
- January 2011 (1)
- August 2009 (3)
- January 2009 (3)
- December 2008 (3)
- September 2008 (1)
User login
