Tricks and Sessions of PHP Sessions

Question

Tricks and Sessions of PHP Sessions

I was trying to create my own secure PHP session class when I was wondering what was stopping someone from emulating a session?

IE, why not make code on test.php

$_SESSION['logged_in'] = true;

Unable to work with index.php where

 if($_SESSION['logged_in'] == True){ echo 'logged in'; }

I understand that the way to this is to secure the session by creating a secure identifier by blocking it with the IP address and User Agent, but how exactly does it work?

Value, if I could guess the session identifier, can I set $ _SESSION ['logged_in'] = true and emulate the login? Should I change the SESSION variable to check for a safer entry?

Sorry for my questions and hope I get some meaning ...

+6

security php session

user2587774 Oct 3 '13 at 8:04

source share

2 answers

Guessing the session ID is not a session capture. This is harder than guessing the password. But yes, if someone received a session ID, they will have full access to the account in question.

Blocking by an identification address simply means that you keep the original IP address used by the user when entering the session itself and check it at the beginning of each request to make sure that it has not changed. Thus, even if the attacker receives the correct session identifier, they will still not be able to use it.

There is a good article on the topic , as well as related StackOverflow questions: 1 , 2 .

+3

Denis Oct 3 '13 at 8:07

source share

Ja͢ck · Accepted Answer · 2013-10-03T08:21:08+0000

First of all, session data is stored only on the server, so the external client cannot just create its own session data and send it to your server.

Thus, it comes to actually guessing someone else’s session identifier and accepting their identity; it is rather difficult, but not impossible. In a situation where an attacker can use network traffic between the victim and your server, it is completely impossible to stop them.

There are a few things you can take to make things safer:

Use SSL see also session.cookie_secure .
Generate identifiers from a good random source, i.e. /dev/urandom on Linux machines see also session.entropy_file .
Restore the identifier when the user logs in or logs out; see also session_regenerate_id()
Use HttpOnly cookies (and only cookies) to perpetuate the session identifier; see also session.use_only_cookies and session.cookie_httponly .
Use strict sessions; see also session.use_strict_mode .
Keep the calculated user agent hash in the session and make sure that it does not change, for example:
```
 $_SESSION['_agent'] = sha1($_SERVER['HTTP_USER_AGENT']); 
```
Try to reduce the session lifetime as short as possible and use the advanced “remember me” function to restore sessions as they expire.

It is also important to know when a potential takeover occurred and take appropriate action when that happens. You will need to keep track of which sessions belong to that user so that you can cancel them when one of them has been broken.

Btw, blocking a session for an IP address is complicated; some Internet service providers will make sure that the user comes from different addresses or that several users come from the same address. In any case, it would be better to track the user agent as it is less likely to change.

Tricks and Sessions of PHP Sessions

More articles: