session fixation/hijacking and cookie help

[MDanz]

I've looked everywhere and haven't found a clear step by step tutorial on how to secure sessions/cookies.  Here are snippets of my code, i'd like to know how i can improve on session security to prevent fixation/hijacking and cookie safety.  This is code for the user login system.

 

login.php

if ($username==$dbusername&&$hashed_password==$dbpassword)
			   {

					setcookie('username[0]',$username,time()+(60*60*24*365));
					setcookie('username[1]',$userid,time()+(60*60*24*365));

					if($admin=='1') {
						$_SESSION['admin'] = 1;
					}	

					$_SESSION['logged-in'] = 1;

				   header( 'Location: ' . $return );


			   }

 

 

logout.php

$time = time()-(60*60*24*365);

setcookie('username[0]', '',$time);
setcookie('username[1]', '',$time);
unset($_COOKIE['username']); 
unset($_SESSION['logged-in']);
unset($_SESSION['admin']);

 

I call session_regenerate_id() on everypage, is that correct to stop session fixation/hijacking?

session_start(); session_regenerate_id();

 

php.ini

session.use_trans_sid = 0
session.user_only_cookies = 1

 

Can you please tell me what i should do to improve on this? 

[jcbones]

If someone rides in on a session id, they will get the regenerate code as well.

 

I think the most common way is to use tokens.  Where tokens are set in the URL (usually a md5 hash of browser and time), then checked against the same token saved in the session.

[MDanz]

If someone rides in on a session id, they will get the regenerate code as well.

 

I think the most common way is to use tokens.  Where tokens are set in the URL (usually a md5 hash of browser and time), then checked against the same token saved in the session.

 

I don't understand "Where tokens are set in the URL"?  This would be easier for me to understand with a full example. 

 

Do i have to md5 has the session name? 

 

$var = md5(rand()*time());
$_SESSION[$var]=1; //logged in

 

"set in the URL"?  ..i'm totally confused right now..

[jcbones]

<?php
session_start();
$token = (!isset($_GET['token'])) ? md5($_SERVER['HTTP_USER_AGENT'] . time()) : $_GET['token'];
$_SESSION['token'] = (empty($_SESSION['token'])) ? $token : $_SESSION['token'];

if($token != $_SESSION['token']) {
exit('Invalid security measures!');
}
?>
<a href="?token=<?php echo $token;?>">Next</a>

 

If the hijacker doesn't have the token, he cannot access the page. 

[MDanz]

thanks, so that is for pages with privileges?  Do i need to change any of my code regarding session/cookie security for just regular login?

[xyph]

The easiest way to avoid session fixation/hi-jacking is to force the use of cookies, and use SSL(HTTPS) for cookie transmission.

 

At the very least, you want to regenerate session IDs (session_regenerate_id) when privileges escalate (like when a user logs-in). This prevents session fixation.

 

If you want to be extra paranoid, don't allow long-term sessions (remember-me).

 

In the end though, this is usually a client-side issue. Most commonly, Man-in-the-Middle attacks, the user copy/pasting a session ID in the URI, or following a link generated by a stranger. There's only so much you can do to protect stupid

[scootstah]

Here's a pretty good article for session hijacking: http://phpsec.org/projects/guide/4.html

[gizmola]

Avoiding session fixation is handled by this:

 

session.use_cookies = 1
session.use_only_cookies = 1

 

You have a mispelling in your post, but I don't know if that is just a typo.  Check it to be sure.

 

As for session hijacking... well if you are not securing your connection then the data being transmitted is sniffable, and the session can be hijacked.  Regenerating a session id by itself does nothing.  Instead, the philosophy behind session regeneration is that, anytime you are going to allow someone to escalate their level of privilege, you are going to prompt them for authentication again.  You then regenerate the session id, which in essence should orphan the session hijacker back at the old, unescalated level, until they once again hijack your session!