Sessions & Cookies secure?

[Skylight_lady]

Hi guys, is this session and cookies script very secure? I am inexperienced in this.

<?php
function mysession() {
    $name_of_session = '_sessions';
    $cookie_domain = "www.mydomain.com";
    if (strpos($_SERVER['REQUEST_URI'], 'securearea')) {
        $cookie_path = "/securearea/";
        $save_path = '/sess';
    } else {
        if (strpos($_SERVER['REQUEST_URI'], 'contact') && !strpos($_SERVER['REQUEST_URI'], 'securearea')) {
            $cookie_path = "/contact/";
            $save_path = '/sess';
            ini_set('session.hash_function', 'sha512');
            ini_set('session.save_path', $save_path);
            ini_set('session.gc_maxlifetime', 3600);
            ini_set('session.gc_probability', 1);
            ini_set("session.cookie_lifetime", 0);
            $_SESSION['created'] = time();
            if (time() - $_SESSION['created'] > 5) {
                session_destroy();
                session_unset();
            }
        } else {
            $cookie_path = "/securearea/";
            $save_path = '/sess';
            ini_set('session.hash_function', 'sha512');
            ini_set('session.save_path', $save_path);
            ini_set('session.gc_probability', 1);
        }
    }
    $cookie_secure = true;
    $http_only = true;
    ini_set('session.use_only_cookies', 1);
    ini_set('session.use_trans_sid', 0);
    ini_set('session.cookie_secure', 1);
    ini_set('session.use_strict_mode', 0);
    ini_set('session.cookie_httponly', 1);
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookie_path, $cookie_domain, $cookie_secure, $http_only);
    session_name($name_of_session);
    check_session();
    session_write_close();
    $cleansession = @check_session();
    if (!$cleansession) {
        session_regenerate_id(true);
        check_session();
    }
    session_regenerate_id(true);
}
function check_session() {
    if (isset($_COOKIE[session_name()]) && preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[session_name()])) {
        session_start();
    } else if (isset($_COOKIE[session_name()])) {
        unset($_COOKIE[session_name()]);
        session_start();
    } else {
        session_start();
    }
}
function new_session_start() {
    $_SESSION = array();
    session_get_cookie_params();
    session_destroy();
    mysession();
    $_SESSION['new_id'] = new_id();
    $_SESSION['new_string'] = new_string($new_id);
    $new_id = $_SESSION['new_id'];
    $new_string = $_SESSION['new_string'];
}
?>

It would be of great help if you can tell me. I also have a little problem from a security scan that shows session files being empty. Is there a way to stop this when sessions are being tampered with?

[Jacques1]

Your approach to configuring sessions at runtime is messy, error-prone and downright nonsensical. For example, why on earth should there be different hash functions or garbage collector parameters depending on the request URL? You've also missed a lot of critical features like the randomness of the session IDs.

 

Instead of going through those if-then-else gymnastics, you should configure most parameters globally in the php.ini. I've collected the most important settings in this thread:

 

Making PHP sessions secure

 

If you need a special “secure” area, you should use subdomains instead of paths and additionally separate the sessions server-side (by using different save paths or including the domain in the session data). Your current solution doesn't provide any actual isolation, because the user can just change the cookie settings locally (you know that cookies can be manipulated, right?).

[Skylight_lady]

Hi Jacques1,

 

Thank you for your advice and helping me.

 

I edited the whole file to be displayed for here and deleted the other url's like the registration url. Each of these url's have a different save path so I can separate them and tell them apart. Sorry for the confusion of displaying the same save path in both of the 2 areas above.

 

I think the session.hash_function should be set to 1 but i'm not sure where I got the sha512 from   Is there any need to use that in php 7.0 or even an alternative to it (is the alternative the secure_random() function within the link you provided)? I would have to test it later. The garbage collector parameters are used as an alternative to delete those sessions from each path. If not deleted then a cron job will sort it out. I did notice that ive set that garbage collection to 3600 while its deleted after 5 seconds (that was for testing purposes).

 

I understand about using the php.ini and will export those ini_set functions i've currently set in my php code into the php.ini instead. I found 2 new things in your link that i've avoided which was the session.use_cookies and session.referer_check with which I will add, thanks.

 

I also have SameSite=Strict associated with the Set-Cookie Header which prevents csrf. The new_session_start() function is based on the csrf tokens in the forms itself with the value of it being generated the same way you have generated it in the secure_random() function within the link you provided.

 

Also, isn't sha512 better to use than sha256 (which you have set in the links session_secret)?

 

Finally, is there a difference between session_set_cookie_params() and setcookie() as they both seem to do the same thing.

[Jacques1]

If you want a proper review, we need to see your real code, not something you've written just for this forum.

 

Different save paths are a good idea, but that alone is still very weak isolation, because there are no client-side boundaries. For example, if one area has a cross-site scripting vulnerability, an attacker can steal the CSRF token from the other area with a simple GET request and attack that area as well. Using separate domains prevents this due to the same-origin policy.

 

The session hash function isn't relevant for security. In fact, this option has been completely removed in PHP 7.1. If you're using an older version, both names like “sha512” and numbers (0 for MD5, 1 for SHA-1) are valid. My point was that you shouldn't set the hash function at runtime depending on the URL. Pick one function and then set it globally in the PHP configuration.

 

Garbage collection does not reliably delete sessions after a specific time. The session GC is only triggered with a certain probability when a request is made. So the sessions can survive much longer than 3600 seconds, unless you implement your own check. The check you've shown didn't really make sense, though, because you did it immediately after creating the session. You have to do it for each request when resuming the session.

 

The SameSite cookie parameter is still very new and not widely supported. It's fine to use it as additional protection for certain browsers, but don't rely on it in any way.

 

 

 

Also, isn't sha512 better to use than sha256 (which you have set in the links session_secret)?

 

No. Hashes of high-entropy input like the session secret are immune to brute-force attacks as long as the hash algorithm is any good. So it doesn't matter if you use MD5, SHA-1, SHA-512 or whatever.

 

 

 

Finally, is there a difference between session_set_cookie_params() and setcookie() as they both seem to do the same thing.

 

The former defines the parameters specifically for the session cookie, the latter creates an arbitrary cookie.