Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Dec 2011
    Posts
    12
    Thanks
    6
    Thanked 1 Time in 1 Post

    Learning PHP Session Security Practices

    Hi,

    I am new to PHP. I have been reading about PHP sessions. One comment
    said that unless you are an "experienced" PHP person, you should not
    use "sessions". That leaves me with saving data in cookies, which I
    view as even less secure.

    I have tried to do some home work on this subject. Now I am
    asking you to provide input to help me and others write a secure
    PHP web script.

    I have read that each input item from the user needs to be filtered.
    I am not addressing that point at this time.

    I assume that every file in the website directory could be a candidate
    for an attack.

    Therefore, I am looking for a canned set of logic that I can place
    at the start of each file that will attempt to make it more secure.

    Here is the file that I have gathered from multiple sources. Please
    look at it and provide your input

    PHP Code:

           
    // check for possible xss cookie attack.

           
    if(!preg_match('#^[[:alnum:]]+$#'$_COOKIE['session_id']))
           {
              unset(
    $_COOKIE['session_id']);    //protect from attacked cookie sid
           
    }

           
    // limit session length

           
    ini_set('session.gc_maxlifetime',600);   //force short sessn - max 5 mins!

           
    session_cache_expire(15);    // limit browser reuse of old data to 15 min.
           
    session_cache_limiter('private_no_expire');  // keep cached out of public pool

           // force session to be passed in cookie; don't allow url session ids

           
    ini_set("session.use_cookies"1);    // for security use cookies to get sid
           
    ini_set("session.use_trans_sid"0);     // keep session id out of URL

           // initialize session for first time calls

           
    if(session_id() == "")           // handle session.auto-start = true situation
           
    {
              
    session_start();
           }

           
    // change sesion id on each user response
           
    session_regenerate_id();  // force new id on each interaction

           
    if (!isset($_SESSION['SERVER_GENERATED_SID'])) //2nd time through?
           
    {
              
    // no, either initial login or possible attack
              
    $_SESSION['PREV_REMOTE_ADDR']     = $_SERVER['REMOTE_ADDR'];
              
    $_SESSION['timeout_idle']         = time() + MAX_IDLE_TIME;
              
    $_SESSION['SERVER_GENERATED_SID'] = true// flag as gend by me
              
    $_SESSION['PREV_USER_AGENT']  = $_SERVER['HTTP_USER_AGENT'];
              
    // validate user / login process
           
    }

           if (!isset(
    $_SESSION['PREV_REMOTE_ADDR']))
           {
              
    // possible attack
              
    $_SESSION['PREV_REMOTE_ADDR']     = $_SERVER['REMOTE_ADDR'];
              
    $_SESSION['timeout_idle']         = time() + MAX_IDLE_TIME;
              
    $_SESSION['PREV_USER_AGENT']   = $_SERVER['HTTP_USER_AGENT'];
              
    $_SESSION['SERVER_GENERATED_SID'] = true// flag as gend by me
              // validate user/login
           
    }
           else
           {
              
    $_SESSION['PREV_REMOTE_ADDR']  = $_SERVER['REMOTE_ADDR']; //save changes
           
    }

           
    // check user agent for changes (possible impersonation attack).

           
    if (!isset($_SESSION['PREV_USER_AGENT']))
           {
              
    // possible attack
              
    $_SESSION['timeout_idle']         = time() + MAX_IDLE_TIME;
              
    $_SESSION['PREV_USER_AGENT']  = $_SERVER['HTTP_USER_AGENT']);
              
    $_SESSION['SERVER_GENERATED_SID'] = true// flag as gend by me
              // validate user
           
    }
           else
           {
             if (
    $_SESSION['PREV_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT'])
               {
                   
    // possible attack
                   
    $_SESSION['timeout_idle']    = time() + MAX_IDLE_TIME;
                 
    $_SESSION['PREV_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
                   
    // validate user/login
               
    }
           }

           
    // check if idle time has expired - force revalidation of userid/password

           
    if (!isset($_SESSION['timeout_idle']))   //must respond by max idle time
           
    {
               
    $_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
           }
           else
           {
              if (
    $_SESSION['timeout_idle'] < time())
              {
                   
    //validate user / logon
              
    }
              else
              {
                
    $_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
              }
           }

           
    // continue normal processing for this user 
    Thanks for your time and consideration.
    Last edited by just.a.guy; 01-14-2012 at 09:04 PM.

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,453
    Thanks
    71
    Thanked 102 Times in 101 Posts
    Do not use cookies, sessions are much more secure, and also place any files you want protected above your root folder.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • Users who have thanked myfayt for this post:

    just.a.guy (01-14-2012)

  • #3
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,335
    Thanks
    13
    Thanked 348 Times in 344 Posts
    $_COOKIE['session_id']
    I don’t know any XSS attack that uses a modified session id. if the session id doesn't match, the session is not started. (though there are a lot of XSS attacks by stealing other’s cookies)

    Code:
    ini_set('session.gc_maxlifetime',600);
    could be very annoying to your users, if you have to log in every 5 minutes

    Code:
           ini_set("session.use_cookies", 1);    // for security use cookies to get sid
           ini_set("session.use_trans_sid", 0);     // keep session id out of URL
    add session.cookie_httponly

    Code:
    $_SESSION['timeout_idle']         = time() + MAX_IDLE_TIME;
    there’s already the session timeout. why making it more complex than necessary?

    Code:
    $_SESSION['SERVER_GENERATED_SID'] = true;
    I don’t see a need for that. > 99% of the cases are initial login. if there is an XSS attack by a stolen cookie, you have to make sure that the "stolen" session does not live overly long (i.e. make the session GC clean up timed out sessions) besides that I find the REMOTE_ADDR test sufficient to keep an intruder out of a running session.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • Users who have thanked Dormilich for this post:

    just.a.guy (01-14-2012)

  • #4
    New Coder
    Join Date
    Dec 2011
    Posts
    12
    Thanks
    6
    Thanked 1 Time in 1 Post
    All,

    Thanks for the help.
    I will implement what you said.

    The idea about placing this as the first code in each of the files
    on the website. Is that a good idea? Is it necessary?
    Can hackers try to guess file names in my website directory?

    Thanks for telling me about the session already having a timeout.
    Can I get that value and test it in my code?

    Thanks again.
    Last edited by just.a.guy; 01-14-2012 at 02:47 PM.

  • #5
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by just.a.guy View Post
    All,

    Thanks for the help.
    I will implement what you said.

    The idea about placing this as the first code in each of the files
    on the website. Is that a good idea? Is it necessary?
    Can hackers try to guess file names in my website directory?

    Thanks for telling me about the session already having a timeout.
    Can I get that value and test it in my code?

    Thanks again.
    instead of inserting it in every single page manually, you can infact include this file using the basic include function below, i will assume the name of this file to be "settings.php" just as an example:

    PHP Code:

    include_once('settings.php'); 
    also make sure it is above your root folder therefore making it:

    PHP Code:

    include_once('../settings.php'); 
    hope this helps
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • Users who have thanked Dan13071992 for this post:

    just.a.guy (01-14-2012)

  • #6
    New Coder
    Join Date
    Dec 2011
    Posts
    12
    Thanks
    6
    Thanked 1 Time in 1 Post
    Thanks,

    I will do as you say - one directory up.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •