Reputation: 834
session_regenerate_id and security attributes
I have a strange issue where after I regenerate a session ID using
session_regenerate_id(true);
The cookie seems to lose its "Secure, HttpOnly" flags.
I can reset the cookie by using
$params = session_get_cookie_params();
setcookie("PHPSESSID", session_id(), 0, $params["path"], $params["domain"],
true, // this is the secure flag you need to set. Default is false.
true // this is the httpOnly flag you need to set
);
but veracode (who we use for security testing) is flagging it at unsure because the first cookie (the one that is regenerated) does not have the secure, HttpOnly tags in the header.
Here is the sample header
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Nov 2018 12:56:41 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=98
Location: home.php
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=18a289a6c8d34b0df72dafc9d5e12c92; path=/
Set-Cookie: PHPSESSID=18a289a6c8d34b0df72dafc9d5e12c92; path=/; secure; HttpOnly
Veracode is flagging the issue because the first cookie - does not have the secure, httpOnly tags. I guess its only reading the first, or it feels that them not showing up by default is insecure..How do I go about forcing those tags on a regenerated session? Or is there a better way to achieve what they ask? Here is my code.
session_start();
$_SESSION = array();
session_unset();
session_destroy();
session_start(); //Not sure if this is needed
session_regenerate_id(true);
$params = session_get_cookie_params();
setcookie("PHPSESSID", session_id(), 0, $params["path"], $params["domain"],
true, // this is the secure flag you need to set. Default is false.
true // this is the httpOnly flag you need to set
);
Upvotes: 3
Views: 662
Answers (2)
Reputation: 22760
In your local folder PHP.ini settings (typically called user.ini and found in your root HTML directory of your website account), you can set the PHP.ini values:
session.cookie_secure=1
session.cookie_httponly=1
session.use_only_cookies=1
and this will mean any usage of session cookies by this account (this website) will conform to the above requirements.
This is much better than coding these reqirements in to your scripts as this can be easily missed or overlooked down the line.
Your script can then be:
session_start();
...
session_regenerate_id(true);
And you will know everything else will be taken care of automatically.
You can read a little more about session security HERE.
Upvotes: 3
Reputation: 1129
You can
session_set_cookie_params ( int $lifetime [, string $path
[, string $domain [, bool $secure = FALSE [, bool $httponly = FALSE ]]]] )
before session_start()
The session_unset, destroy and start is not needed then. Also don't assign a value to $_SESSION as you are overwriting the session data.
https://secure.php.net/manual/en/function.session-set-cookie-params.php
Upvotes: 2
Related Questions
- session_regenerate_id causes two PHPSESSID cookies to be returned
- Regenerating Session ID not helpful if cookie is physically copied/recreated
- PHP Sessions and session_regenerate_id
- Session, cookies and ids
- Working with regenerating session id in PHP/CodeIgniter
- PHP session_id regenerated on refresh
- PHP session regeneration security
- Explanation for session_regenerate_id() proper usage
- When should the session ID be regenerated?
- regenerating session id