CODEWITHSUNDEEP
phpsecuritysession
pha846
pha846

Reputation: 35

How can I secure my PHP sessions?

I've read about session_regenerate_id() that prevents session fixation.

If someone do a man in the middle attack, and steal the generated id, then log in with that session.

Then the real user would be logged out, and the man who do the attack will gain access to the user's account.

How can I prevent this?

Upvotes: 1

Views: 75

Answers (2)

Alexander
Alexander

Reputation: 501

anti hacking measures

I fully agree to scopey but would go even further and delete the old session file by using session_regenerate_id(true); as this tells php to delete associative(s) files to this session on disk. Why keep files on a server that aren't necessary anymore?

Another anti session hacking measure is to store the first two octets of the client ip (might more when they are well encrypted but I have not that much data privacy knowledge yet) and may more client details in a database which will be compared with current client details. These data, especially the ip, should be encrypted and as soon as the session is outdated fully deleted.

conclusion

There are a couple of ways to check authorisation and all of them are about using https, regenerating session id, delete outdated session files and store client details on first request on server in order to compare them with current client details.

How much security you need depends on the application purpose. When it comes to bank data e.g. you better implement more anti hacking measures than you think are necessary. A simple blog where registered users can comment only you don't need a lot of anti hacking measures.

keep in mind

The more secure you app is the less user friendly it is.

Upvotes: 1

Scopey
Scopey

Reputation: 6319

The most effective defence against man in the middle attacks is HTTPS. You can set your session cookie parameters to only transmit the cookie over secure connections by using session_set_cookie_params (docs).

Because only the client / server know how to encrypt/decrypt the request data, man in the middle attacks are much more difficult.

Otherwise, it is very difficult to implement defence against man in the middle on insecure connections

Upvotes: 6

Related Questions