Geek Answers Handbook

Security with PHP Sessions

I know this has been asked billions of times, but I'm super paranoid / OCD about the security of my encoding. I am working on a small project. Session data will only contain:

user_id 1
username MyUsername
logged_in true
csrf_token 87cc51ee94178df79cccce2aebc45d53

Here is my code. Is safe enough to use on a small CMS?

session_start(); ini_set('session.cookie_httponly', 'On'); ini_set('session.cookie_secure', 'On'); ini_set('session.use_cookies', 'On'); ini_set('session.use_only_cookies', 'On'); $rand = rand(1, 10); if ($rand != 1 || $rand != 3 || $rand != 5) session_regenerate_id(); $user_ip = md5($_SERVER['REMOTE_ADDR']); $user_agent = md5($_SERVER['HTTP_USER_AGENT']); if (isset($_SESSION['user_ip'], $_SESSION['user_agent'])) { $session_user_ip = $_SESSION['user_ip']; $session_user_agent = $_SESSION['user_agent']; if ($session_user_ip != $user_ip || $session_user_agent != $user_agent) { unset($_SESSION); session_destroy(); die('Error'); } } else { $_SESSION['user_ip'] = $user_ip; $_SESSION['user_agent'] = $user_agent; }

Then to call the sessions:

 $_SESSION['user_id'] = 1; $_SESSION['user_name'] = 'MyUsername'; // etc.

additional information
I will use session data to check if the user is allowed to do something. Example: if ( user_has_perm( $_SESSION['user_id'] ) )

Thanks for your help in advance.

+8
security php session suhosin
source share
7 answers

Session security risks come from three different possibilities:

  • Forecasting
  • Capture
  • Fixation

A prediction would mean that someone who is not the user for whom the session was created guessed their session identifier. The chances of this are almost 0, although they are growing, as more and more users use the site at the same time.

Using your code, you risk even less, because it will only work if the attacker has separated the user agent and the ip of the forecasted session. But in this case, the difference is trivial.

Commit means that an attacker can create a session and then force another user to use his session. In this case, it will depend: if the attacker knows that you are doing this, and they fake the user agent and client ip, they can record the session. Or if they share ip and user agent.

And finally, we have session capture, probably the most common method of the three. In this case, the attacker will somehow gain access to the session ID of the valid registered user, and then will use it to log in to his account. As in the previous method, this will only work for them if they know that you are checking the ip and user agent and faking the same ones as the user. The technique you use is not unique, and some attackers may attack them just in case.

As they say, is it safe? Yes and no

If you are obsessed with security, the answer is always the same: Use SSL

If your code is not open source, almost everything you do that modifies the behavior of php sessions will be fairly safe.

The only exception is really popular sites that will attract the attention of hackers.

There is very good documentation in this thread:

+12
source share

I am not a security expert. However, I humbly doubt that your security measures will lead to significant advantages.

If someone can steal the session ID of your users, for example, by eavesdropping on an unencrypted wireless network, I bet that he can also steal the username and password that your users send to your server when they authenticate. Once he has access credentials, an attacker can log in a day after or a week and will have his β€œsafe” and 100% valid session for the game.

I believe that there is no session security without channel protection. If you use SSL , you guarantee that the session identifier is sent only through cookies (you already do this), and your sessions expire soon, I believe that you are safe and secure than performing these forced actions on an insecure channel.

+3
source share

Firstly, you have an error in the regenerative code of the session. The following if will always be evaluated as true:

 if ($rand != 1 || $rand != 3 || $rand != 5)

If $rand not equal to 1, it returns true. If $rand is 1, then it is not three, and it returns true. You probably used and here.

Secondly, you do not need to use the MD5 line user_ip or user_agent . If someone can directly access session data on your server, you are so deep in it that hashing this data will not save you.

CLARIFICATION: Like SDC and the crush in the comments, MD5 is good for hashing passwords if you use it with salt. This means that your user passwords are generally still secure, even if the SQL Injection attack succeeds and your database is exposed to the world. However, if your server is hacked and salt is compromised, it becomes possible to create a set of known hashes and try to perform a reverse search for a specific password. Bottom line? Hash your user passwords with salt.

Third, most security holes do not come from spoofing sessions. They are due to poor input validation. A book like Essential PHP Security should be a good introduction to the type of input validation you should do in your PHP project. Otherwise, at least read the security section of the PHP manual . Pay attention to the SQL Injection bit. That's cool!

Finally, I completely agree with the other poster that you should use SSL to ensure communication with your site.

+2
source share

Honestly, I think you are too careful, but not very useful.

If you are really worried about session security, do not try to do it yourself. Use a patch to protect PHP, such as Suhosin . Let him do all the hard work for you. Suhosin is a well-established patch for PHP. It includes material that deals with all methods of hacking a PHP session. If you installed it, you do not need to do anything extra to ensure the security of the session. If you don’t have one, then you definitely cannot claim to be super-paranoid about security!

In short, install Suhosin (if you haven't already) and forget about it.

But just for completeness, I will make a few comments in your actual code, just to point out a few things:

I'm not sure why you think MD5 hashing matters. MD5 hashes can be cracked in seconds, so their use in any security feature is completely arbitrary. It may be plain text. However, I really do not see the need for them to be anything other than plain text - if the hacker managed to get the session data in order to read the IP address that it contains, then you no longer worry about knowing whether they have an IP address or not.

0
source share

These are just two major session attacks.

1.) A session of fixing attacks.

This can be prevented by using session_regenerate_id()

2.) Session of theft:

This can be prevented by encrypting data using SSL certificates. Your site will now work on https, not on http .

3.) If you are on a shared server where CloudFare or JailRoot are not implemented. You can show your sessions in the database, and not in the default file system repository.

With these three implementations, let me see that hacker who claims to hack a user session ...

0
source share
Select the image to upload: "; $ res = mysql_query (" SELECT` id`, `FirstName`,` LastName`, `Address`,` Password`, `Repassword`,` Birthday`, `Gender`,` user_image` FROM `registration`) or die (mysql_error ()); while ($ line = mysql_fetch_array ($ resolution)) {$ ID = $ line ['ID']; $ Firstname = $ lines ['FirstName']; $ User_image = $ lines ['user_image']; $ Page = "$ Firstname"; } $ Page = ""; $ res_post = mysql_query ("SELECT post_info.post_info_id, post_info.id, post_info.post_info_desc, registration.FirstName FROM` post_info` join` registration` WHERE post_info.id = registration.id order post_info.post_info_er mysq ") )); while ($ row_post = mysql_fetch_array ($ res_post)) {$ post_id = $ row_post ['post_info_id']; $ post_desc = $ row_post ['post_info_desc']; $ id = $ row_post ['id']; $ FirstName = $ row_post ['FirstName']; . $ Page = "

$ Firstname

$ post_desc <h / ">
";} $ Page =" "; includes ('includes / main _file.php');?>
-one
source share
 <?php session_start(); $con=mysql_connect("localhost","root",""); $seldb=mysql_select_db('myfreind', $con); $email=$_POST['txtEmail']; $password=$_POST['txtPass']; $res=mysql_query("SELECT `id`, `FirstName`, `LastName`, `Address`, `Password`, `Repassword`, `Birthday`, `Gender` FROM `registration` WHERE `Password`='$password' and `FirstName`='$email'"); $num=mysql_num_rows($res); if($num==1) { $row=mysql_fetch_array($res); $id=$row['id']; $firstname=$row['FirstName']; $_SESSION['id']=$id; $_SESSION['FirstName']=$firstname; //echo $_SESSION['id']; header('Location:main.php'); }else { header('Location:index.php?error'); } ?>
-2
source share

More articles:


All Articles