Databases
StackOverflow2013
Postsdbo
POProper session hijacking prevention in PHP
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POProper session hijacking prevention in PHP
    primarykey
    data
    text
    <p>I know this topic has been discussed <em>a lot</em>, but I have a few specific questions still not answered. For example:</p> <pre><code>// **PREVENTING SESSION HIJACKING** // Prevents javascript XSS attacks aimed to steal the session ID ini_set('session.cookie_httponly', 1); // Adds entropy into the randomization of the session ID, as PHP's random number // generator has some known flaws ini_set('session.entropy_file', '/dev/urandom'); // Uses a strong hash ini_set('session.hash_function', 'whirlpool'); </code></pre> <hr> <pre><code>// **PREVENTING SESSION FIXATION** // Session ID cannot be passed through URLs ini_set('session.use_only_cookies', 1); // Uses a secure connection (HTTPS) if possible ini_set('session.cookie_secure', 1); </code></pre> <hr> <pre><code>session_start(); // If the user is already logged if (isset($_SESSION['uid'])) { // If the IP or the navigator doesn't match with the one stored in the session // there's probably a session hijacking going on if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) { // Then it destroys the session session_unset(); session_destroy(); // Creates a new one session_regenerate_id(true); // Prevent's session fixation session_id(sha1(uniqid(microtime())); // Sets a random ID for the session } } else { session_regenerate_id(true); // Prevent's session fixation session_id(sha1(uniqid(microtime())); // Sets a random ID for the session // Set the default values for the session setSessionDefaults(); $_SESSION['ip'] = getIp(); // Saves the user's IP $_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator } </code></pre> <p>So, my questions are</p> <ul> <li>do the <code>ini_set</code>'s provide enough security?</li> <li>is it okay to save the user's IP and navigator and then check it every time the page is loaded to detect a session hijack? Could this be problematic in any way?</li> <li>is the use of <code>session_regenerate_id()</code> correct?</li> <li>is the use of <code>session_id()</code> correct?</li> </ul>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USfedericot
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POProper session hijacking prevention in PHP
      1. USFrank
      1. VTFavorite
    2. VO
      singulars
      1. POProper session hijacking prevention in PHP
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POProper session hijacking prevention in PHP
      1. This table or related slice is empty.
      1. VTUpMod
    1. COAll the overblown randomness stuff is probably the least relevant part of security, since the widest security holes are usually somewhere else entirely. You only need to regenerate the session ID when the login is successful, too.
      singulars
      1. POProper session hijacking prevention in PHP
      1. USKerrek SB
    2. COWell, it can't hurt. Also, a main reason I'm doing this is because I don't have accounts in my website, just anonymous navigation. So, there's no such thing as a login. Would it be better _not_ to regenerate the session ID every time?
      singulars
      1. POProper session hijacking prevention in PHP
      1. USfedericot
    3. COThere's no unique answer. The first thing is to regenerate on login. Beyond that is kinda overkill. Somehow, that session regeneration could be helpful in certain situations. Example: if you manage some kind of transactions (saving posts, uploading files, changing data somewhere behind the app) it helps because you could track if the user performed a history(-1) and got an old request sent again.
      singulars
      1. POProper session hijacking prevention in PHP
      1. USAlfabravo
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload