Jump to content

Recommended Posts

I've looked everywhere and haven't found a clear step by step tutorial on how to secure sessions/cookies.  Here are snippets of my code, i'd like to know how i can improve on session security to prevent fixation/hijacking and cookie safety.  This is code for the user login system.

 

login.php

if ($username==$dbusername&&$hashed_password==$dbpassword)
			   {

					setcookie('username[0]',$username,time()+(60*60*24*365));
					setcookie('username[1]',$userid,time()+(60*60*24*365));

					if($admin=='1') {
						$_SESSION['admin'] = 1;
					}	

					$_SESSION['logged-in'] = 1;

				   header( 'Location: ' . $return );


			   }

 

 

logout.php

$time = time()-(60*60*24*365);

setcookie('username[0]', '',$time);
setcookie('username[1]', '',$time);
unset($_COOKIE['username']); 
unset($_SESSION['logged-in']);
unset($_SESSION['admin']);

 

I call session_regenerate_id() on everypage, is that correct to stop session fixation/hijacking?

session_start(); session_regenerate_id();

 

php.ini

session.use_trans_sid = 0
session.user_only_cookies = 1

 

Can you please tell me what i should do to improve on this? 

If someone rides in on a session id, they will get the regenerate code as well.

 

I think the most common way is to use tokens.  Where tokens are set in the URL (usually a md5 hash of browser and time), then checked against the same token saved in the session.

If someone rides in on a session id, they will get the regenerate code as well.

 

I think the most common way is to use tokens.  Where tokens are set in the URL (usually a md5 hash of browser and time), then checked against the same token saved in the session.

 

I don't understand "Where tokens are set in the URL"?  This would be easier for me to understand with a full example. 

 

Do i have to md5 has the session name? 

 

$var = md5(rand()*time());
$_SESSION[$var]=1; //logged in

 

"set in the URL"?  ..i'm totally confused right now..

<?php
session_start();
$token = (!isset($_GET['token'])) ? md5($_SERVER['HTTP_USER_AGENT'] . time()) : $_GET['token'];
$_SESSION['token'] = (empty($_SESSION['token'])) ? $token : $_SESSION['token'];

if($token != $_SESSION['token']) {
exit('Invalid security measures!');
}
?>
<a href="?token=<?php echo $token;?>">Next</a>

 

If the hijacker doesn't have the token, he cannot access the page. 

The easiest way to avoid session fixation/hi-jacking is to force the use of cookies, and use SSL(HTTPS) for cookie transmission.

 

At the very least, you want to regenerate session IDs (session_regenerate_id) when privileges escalate (like when a user logs-in). This prevents session fixation.

 

If you want to be extra paranoid, don't allow long-term sessions (remember-me).

 

In the end though, this is usually a client-side issue. Most commonly, Man-in-the-Middle attacks, the user copy/pasting a session ID in the URI, or following a link generated by a stranger. There's only so much you can do to protect stupid :P

Avoiding session fixation is handled by this:

 

session.use_cookies = 1
session.use_only_cookies = 1

 

You have a mispelling in your post, but I don't know if that is just a typo.  Check it to be sure.

 

As for session hijacking... well if you are not securing your connection then the data being transmitted is sniffable, and the session can be hijacked.  Regenerating a session id by itself does nothing.  Instead, the philosophy behind session regeneration is that, anytime you are going to allow someone to escalate their level of privilege, you are going to prompt them for authentication again.  You then regenerate the session id, which in essence should orphan the session hijacker back at the old, unescalated level, until they once again hijack your session!

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.