View Full Version : High security PHP sessions

06-22-2010, 09:58 PM

I want to create a model of really high security system for my website. That would mean sessions.

I already heard about something like that:

$_SESSION['authID'] = 'your_special_ID';


$fingerprint = 'SHIFLETT' . $_SERVER['HTTP_USER_AGENT'];
$_SESSION['fingerprint'] = md5($fingerprint . session_id()

But is this good enough? Are there mistakes? Maybe there are other ways to make high security level from session and website hijacks??

Thanks in advance.

06-22-2010, 10:10 PM
SSH and force cookies.
Use session_regenerate_id to always create a new session id, which would substantially reduce the threat of SID intercepting. May want to check the IP as well, though be aware that IP, USER_AGENT, and a good chunk of anything you get from $_SERVER are user provided and are therefore deemed unreliable.

06-22-2010, 11:18 PM

if i start session, it automatically creates session_id??

Then, server saves it... And how then check if it is the same??

06-22-2010, 11:31 PM

if i start session, it automatically creates session_id??

Then, server saves it... And how then check if it is the same??

Unless you force it into a new session_id, the server recognizes if its the same ID or not, as its stored locally and on the server (the server matches it up)... but since a user can alter their session_id if they know what they're doing, someone can spoof the server into believing they are someone else (what Fou-Lu said about intercepting). You can check the current session_id, but you don't need to.

06-22-2010, 11:45 PM
Thats right. The session_id is provided by PHP and refers to (generally, though can be changed) a file. This file is located wherever the specification of the save path for your sessions has been set, and %TEMP% / /tmp otherwise. PHPSESSID is seeked by PHP for user entries, either as a cookie if available / forced, or in the GET of the querystring. It then matches this information when calling session_start, and returns the associated information within the session file with the same name.
Using session_regenerate_id() will create a new session file, copy the data into it, submit a new cookie to the user, and attempt to destroy the original if possible. If your previous session was intercepted during transport, attempting to use it now becomes void since there is no associated session for that session_id. The expense is a little overhead since you need to take the time to do all this extra stuff. But C is so fast you won't even notice it to be honest.

06-23-2010, 02:05 PM
Is there working example of secure sessions somewhere? I want to see how the script looks like and how it works...

of course if it is possible... thanks.

06-23-2010, 04:30 PM
Check out the session_regenerate_id page for some information on that: http://php.ca/manual/en/function.session-regenerate-id.php
There are literally tons of approaches to securing sessions. Try searching for 'php session SSL secure' and see what you come up with for session specific information.

06-24-2010, 11:04 PM
This is familiar topic of mine other: Can you take a look? http://www.codingforums.com/showthread.php?t=198813