PHP Sessions and Data Persistence
Preventing Session Fixation
Problem
You want to make sure that your application is not vulnerable to session fixation attacks, in which an attacker forces a user to use a predetermined session ID.
Solution
Require the use of session cookies without session identifiers appended to URLs, and generate a new session ID frequently:
ini_set('session.use_only_cookies', true);
session_start();
if (!isset($_SESSION['generated'])
|| $_SESSION['generated'] < (time() - 30)) {
session_regenerate_id();
$_SESSION['generated'] = time();
}
Discussion
In this example, we start by setting PHP’s session behavior to use cookies only. This ensures PHP won’t pay attention to a session ID if an attacker has put one in a URL.
Once the session is started, we set a value that will keep track of the last time a session ID was generated. By requiring a new one to be generated on a regular basis—every 30 seconds in this example—the opportunity for an attacker to obtain a valid session ID is dramatically reduced.
These two approaches combine to virtually eliminate the risk of session fixation. An attacker has a hard time obtaining a valid session ID because it changes so often, and because sessions IDs can only be passed in cookies, a URL-based attack is not possible.Finally, because we enabled the session.use_only_cookies setting, no session cookies will be left lying around in browser histories or in server referrer logs.
No comments:
Post a Comment