...

View Full Version : Resolved Learning PHP Session Security Practices



just.a.guy
01-14-2012, 12:15 AM
Hi,

I am new to PHP. I have been reading about PHP sessions. One comment
said that unless you are an "experienced" PHP person, you should not
use "sessions". That leaves me with saving data in cookies, which I
view as even less secure.

I have tried to do some home work on this subject. Now I am
asking you to provide input to help me and others write a secure
PHP web script.

I have read that each input item from the user needs to be filtered.
I am not addressing that point at this time.

I assume that every file in the website directory could be a candidate
for an attack.

Therefore, I am looking for a canned set of logic that I can place
at the start of each file that will attempt to make it more secure.

Here is the file that I have gathered from multiple sources. Please
look at it and provide your input




// check for possible xss cookie attack.

if(!preg_match('#^[[:alnum:]]+$#', $_COOKIE['session_id']))
{
unset($_COOKIE['session_id']); //protect from attacked cookie sid
}

// limit session length

ini_set('session.gc_maxlifetime',600); //force short sessn - max 5 mins!

session_cache_expire(15); // limit browser reuse of old data to 15 min.
session_cache_limiter('private_no_expire'); // keep cached out of public pool

// force session to be passed in cookie; don't allow url session ids

ini_set("session.use_cookies", 1); // for security use cookies to get sid
ini_set("session.use_trans_sid", 0); // keep session id out of URL

// initialize session for first time calls

if(session_id() == "") // handle session.auto-start = true situation
{
session_start();
}

// change sesion id on each user response
session_regenerate_id(); // force new id on each interaction

if (!isset($_SESSION['SERVER_GENERATED_SID'])) //2nd time through?
{
// no, either initial login or possible attack
$_SESSION['PREV_REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
$_SESSION['SERVER_GENERATED_SID'] = true; // flag as gend by me
$_SESSION['PREV_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
// validate user / login process
}

if (!isset($_SESSION['PREV_REMOTE_ADDR']))
{
// possible attack
$_SESSION['PREV_REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
$_SESSION['PREV_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['SERVER_GENERATED_SID'] = true; // flag as gend by me
// validate user/login
}
else
{
$_SESSION['PREV_REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; //save changes
}

// check user agent for changes (possible impersonation attack).

if (!isset($_SESSION['PREV_USER_AGENT']))
{
// possible attack
$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
$_SESSION['PREV_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT']);
$_SESSION['SERVER_GENERATED_SID'] = true; // flag as gend by me
// validate user
}
else
{
if ($_SESSION['PREV_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT'])
{
// possible attack
$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
$_SESSION['PREV_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
// validate user/login
}
}

// check if idle time has expired - force revalidation of userid/password

if (!isset($_SESSION['timeout_idle'])) //must respond by max idle time
{
$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
}
else
{
if ($_SESSION['timeout_idle'] < time())
{
//validate user / logon
}
else
{
$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
}
}

// continue normal processing for this user



Thanks for your time and consideration.

myfayt
01-14-2012, 04:22 AM
Do not use cookies, sessions are much more secure, and also place any files you want protected above your root folder.

Dormilich
01-14-2012, 10:44 AM
$_COOKIE['session_id']
I don’t know any XSS attack that uses a modified session id. if the session id doesn't match, the session is not started. (though there are a lot of XSS attacks by stealing other’s cookies)



ini_set('session.gc_maxlifetime',600);
could be very annoying to your users, if you have to log in every 5 minutes



ini_set("session.use_cookies", 1); // for security use cookies to get sid
ini_set("session.use_trans_sid", 0); // keep session id out of URL

add session.cookie_httponly



$_SESSION['timeout_idle'] = time() + MAX_IDLE_TIME;
there’s already the session timeout. why making it more complex than necessary?



$_SESSION['SERVER_GENERATED_SID'] = true;
I don’t see a need for that. > 99% of the cases are initial login. if there is an XSS attack by a stolen cookie, you have to make sure that the "stolen" session does not live overly long (i.e. make the session GC clean up timed out sessions) besides that I find the REMOTE_ADDR test sufficient to keep an intruder out of a running session.

just.a.guy
01-14-2012, 03:19 PM
All,

Thanks for the help.
I will implement what you said.

The idea about placing this as the first code in each of the files
on the website. Is that a good idea? Is it necessary?
Can hackers try to guess file names in my website directory?

Thanks for telling me about the session already having a timeout.
Can I get that value and test it in my code?

Thanks again.

Dan13071992
01-14-2012, 08:58 PM
All,

Thanks for the help.
I will implement what you said.

The idea about placing this as the first code in each of the files
on the website. Is that a good idea? Is it necessary?
Can hackers try to guess file names in my website directory?

Thanks for telling me about the session already having a timeout.
Can I get that value and test it in my code?

Thanks again.

instead of inserting it in every single page manually, you can infact include this file using the basic include function below, i will assume the name of this file to be "settings.php" just as an example:




include_once('settings.php');



also make sure it is above your root folder therefore making it:




include_once('../settings.php');



hope this helps

just.a.guy
01-14-2012, 10:03 PM
Thanks,

I will do as you say - one directory up.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum