$_SERVER['HTTP_USER_AGENT'] and session_regenerate_id in PHP

Question

After reading a great post on PHP session security .I have two questions from the discussion.

1)$_SERVER['HTTP_USER_AGENT'] -This gets the information about the user's browser and other details and since a person can access their account from a different computer then how is it useful?

2)session_regenerate_id - This regenerates a session id , How should I use it ? Is the session_id deleted after a session has timeout or closed?

Thanks for all your help.I appreciate each view and response.

Answer 1

I'll try to answer your questions from the bottom up: session_regenerate_id() is useful in preventing session fixation attacks, where a malicious user who has obtained your session ID hijacks your session and can then act as you. When you regenerate the session, you can track the latest session ID in a database or something similar, and only allow access with the most current session ID (incidentally, if you regenerate sessid frequently enough, this will prevent users from browsing your site with multiple browsers/windows), otherwise old sessions will be available by default (unless you pass a boolean true parameter to the session_regenerate_id function call).

Some security-crazy people will suggest regenerating the session ID after every request, but you can also track a session variable that increments per request, and just regenerate every X number of requests (5 or 10 or whatever you determine is a sufficient amount for your security level). The other option is to regenerate the session ID during a privileges escalation, such as logging in.

As for HTTP_USER_AGENT, it is mostly useful in implementing browser/client-specific functionality (for example, displaying a "Get Chrome!" link when users visit your site using Firefox or IE).

Answer 2

1) Sessions aren't bound to accounts, they're bound to browser sessions. You can use the user agent information to see if that someone other user agent is trying to hijack the session. However it's not fail-proof. You can also use things like the user's IP address (or a given range of it) to catch hijack attempts.

2) By calling session_regenerate_id from time to time, you reduce the chance of someone hijacking the session. This is especially true if the session ID is passed in the URL. For example let's say someone accidentally pasted a link to a chat with the SID in the URL. If you regenerate the session ID periodically, the users who saw that link can't hijack the session with it, as the ID would've changed already.

Answer 3

The User-Agent is useful for determining the browser being used, which may lead to guessing some of its capabilities. For example, most mobile devices can be accurately identified by their browser's user agent (see WURFL), thus allowing a site's developer to direct mobile devices to the site's mobile version.

However, it can be modified by the user, so its value should be taken with a grain of salt as is the case with any user input.

session_regenerate_id() doesn't delete the session. It merely changes its id to a newly created one. To avoid having its old session file hang around until auto deletion by the system, you can delete it yourself by setting the optional function parameter to true. Its use is to avoid session fixation attacks where an attacker can gain access to an existing session's data by knowing and presenting its id to the server.

Answer 4

$_SERVER['HTTP_USER_AGENT'] , you can use this information for when you are using special features that may not work for everyone, or if they want to get an idea of their target audience. This also is important when using the get_browser() function for finding out more information about the browser's capabilities. By having this information the user can be directed to a version of your site best suited to their browser.

session_regenerate_id, When it renames the session id it does not remove the old session, leaving it active and potentially usable by a would be hacker. This does not pose a problem if the function is only used during new session create as the means of preventing session fixation, which is the intended use btw. However, it makes it completely useless if used on each session based request to prevent session leakage via HTTP_REFERER and similar, since the previous session id is still usable. It also means that changing the id on “actions” as some scripts to do prevent session theft also is pointless; in fact it doubles the amount of session ids for the same user making it only simpler to assume their identity. Furthermore it means that on every call to the function there is duplication in the number of sessions entries that will hang around until they are considered expired and removed by the garbage collection process.