PHP Sessions and Data Persistence Preventing Session Fixation

PHP Sessions and Data Persistence

Preventing Session Fixation

Problem

You want to make sure that your application is not vulnerable to session fixation attacks, in which an attacker forces a user to use a predetermined session ID.

Solution

Require the use of session cookies without session identifiers appended to URLs, and generate a new session ID frequently:

         ini_set('session.use_only_cookies', true);

         session_start();

         if (!isset($_SESSION['generated'])

              || $_SESSION['generated'] < (time() - 30)) {

              session_regenerate_id();

              $_SESSION['generated'] = time();

         }

Discussion

In this example, we start by setting PHP’s session behavior to use cookies only. This ensures PHP won’t pay attention to a session ID if an attacker has put one in a URL.

Once the session is started, we set a value that will keep track of the last time a session ID was generated. By requiring a new one to be generated on a regular basis—every 30 seconds in this example—the opportunity for an attacker to obtain a valid session ID is dramatically reduced.

These two approaches combine to virtually eliminate the risk of session fixation. An attacker has a hard time obtaining a valid session ID because it changes so often, and because sessions IDs can only be passed in cookies, a URL-based attack is not possible.Finally, because we enabled the session.use_only_cookies setting, no session cookies will be left lying around in browser histories or in server referrer logs.