Notes on PHP Session Security

Share this article

Summarizing a discussion from here – things to watch out for when using sessions for your sites login system;

1. Shared web servers – anyone else on the server can read your session files (typically in the /tmp directory) if PHP is running as an Apache module (so the session files belong to the web user) and possibly when PHP is used as a CGI (depending on how sessions are implemented).

Someone browsing the session files (probably) won’t know the site the server the sessions apply to (so may not be able to use a username / password combination they found) but you may still be putting sensitive info (like credit card details) somewhere for all to see. Plus they’ve got a list of valid session IDs…

If you’re just storing passwords in the session, you can get away with this by using md5() (preferably twice) to one-way encypt the password. This doesn’t help though if you need to recover the value of a session variable.

Using a custom session handler to store the sessions in a database is probably the best solution. You might consider MySQL HEAP tables if performance is an issue (assuming MySQL running on same machine as Apache). If it gets to very high traffic, it’s time to think about getting your own server…

2. XSS exploits (and session hijacking) – using JavaScript users can be fooled into giving away their active session_id.

All someone needs to “hijack” a session is the unique session id. It’s like the key to a railway station locker. The locker doesn’t check you’re the valid owner of the key, before allowing you to open it so anyone with the key can get in.

Research XSS and how to prevent it.

Accept that session hijacking cannot be entirely prevented (checks on IP address, for example, is foiled by AOL, who assign a new client IP on more or less every page request) so double check “critical actions” a user can perform when logged in e.g. when changing password – require the old password, which the session hijacker will (hopefully) not know. Displaying credit card infomation – do like Amazon and only display the last four digits. Basically limit the damage someone can do if they hijack a session.

3. Session IDs in URL (and hijacking) – if you’re using session IDs in the URL (as opposed to a session cookie), make sure offsite links do not contain the session ID (or the remote site will be able to hijack) – PHP should take care of this. Also your visitors may give away the session ID in the referrer field – ideally pass off site links through a redirect page, to elimate the referrer (although, unfortunately, some browsers keep the last 3 pages viewed I believe – unsure of facts).

Ideally, don’t pass session ids in the URL – require users to accept a cookie if they need to “log in”.

4. Session Fixation (pre-hijacking) (see http://www.acros.si/papers/session_fixation.pdf).

If you assign a session to a visitor to your site, before they are logged in (for example for clickpath analysis), make sure that you assign them a new session id when they do login, so that if someone pre-generated the initial session id for them, they won’t get the new ID.

For PHP 4.2.0+, see session_regenerate_id() (in particular the user submitted comments). For PHP < 4.2.0, you’ll have to destroy the session and re-create it when the user logs in, carrying any stored data between the two. The session_id() function may also be useful (haven’t explored it in this context myself).

5. Sniffing Packets (use SSL [HTTPS]) – a session ID can be “sniffed” between the client and your server. If it’s a site where money is changing hands or other sensitive personal information is involved, SSL is a requirement.

Otherwise, without SSL, you have to live with the risk (just like you do every time you use that FTP client…).

6. Cookies are not for session data – on a related note, don’t use cookies for store sensitive information.

Cookie data, unlike sessions, gets stored on the client site. Apart from the “sniffing risk”, a large majority of Windows users have little idea of security and may be “owned by haxor”.

Otherwise, cookies (aside from session cookie PHP creates for you) are generally meant for long term (i.e. between visits) data persistance (e.g. “Remember Me”) rather than “active session” persistance.

There’s probably more things to watch out for (or facts to correct) – suggestions appreciated.

Frequently Asked Questions on PHP Session Security

What is PHP Session Security and why is it important?

PHP Session Security is a crucial aspect of web development that ensures the protection of data being transferred between the server and the client. It is important because it prevents unauthorized access to sensitive information, such as user credentials, personal details, and transaction data. Without proper session security, this data can be intercepted, manipulated, or stolen, leading to serious consequences like identity theft or financial loss.

How can I improve the security of PHP sessions?

There are several ways to enhance PHP session security. One of the most effective methods is to use secure cookies and enforce HTTPS for all sessions. This ensures that session data is encrypted during transmission, making it harder for attackers to intercept. Additionally, you can use session_regenerate_id() function to prevent session fixation attacks, and always destroy sessions properly after use to prevent session hijacking.

What is session hijacking and how can I prevent it?

Session hijacking is a type of security attack where an attacker steals a user’s session ID and uses it to impersonate the user. You can prevent session hijacking by implementing measures such as session timeout, session regeneration, and IP address checking. Also, always use HTTPS to encrypt session data during transmission.

What is the role of cookies in PHP session security?

Cookies play a vital role in PHP session security as they store the session ID on the client’s browser. This ID is then used to identify the user in subsequent requests. To enhance security, you can set the ‘secure’ and ‘httponly’ flags on cookies, which ensure that they are only sent over HTTPS and cannot be accessed via JavaScript, respectively.

How does session_regenerate_id() function enhance session security?

The session_regenerate_id() function enhances session security by generating a new session ID each time a user’s privilege level changes, such as during login or logout. This helps prevent session fixation attacks, where an attacker tries to fix the session ID to a known value.

What is session fixation and how can it be prevented?

Session fixation is a type of attack where an attacker fixes the session ID to a known value and tricks the user into using this session. It can be prevented by regenerating the session ID after each privilege level change and not accepting session IDs from user input.

How can I ensure that session data is not accessible via JavaScript?

You can ensure that session data is not accessible via JavaScript by setting the ‘httponly’ flag on cookies. This prevents the cookies from being accessed through client-side scripts, reducing the risk of cross-site scripting (XSS) attacks.

What is the impact of not destroying sessions properly?

Not destroying sessions properly can lead to session hijacking, where an attacker uses the session ID to impersonate the user. Always ensure to destroy sessions using session_destroy() function after they are no longer needed.

How does HTTPS enhance PHP session security?

HTTPS enhances PHP session security by encrypting the data during transmission between the server and the client. This makes it harder for attackers to intercept and read the session data, thus preventing session hijacking and man-in-the-middle attacks.

What are some common PHP session security vulnerabilities and how can they be mitigated?

Some common PHP session security vulnerabilities include session hijacking, session fixation, and cross-site scripting (XSS). These can be mitigated by implementing measures such as using secure cookies, enforcing HTTPS, regenerating session IDs, and properly destroying sessions after use.

Harry FuecksHarry Fuecks
View Author

Harry Fuecks is the Engineering Project Lead at Tamedia and formerly the Head of Engineering at Squirro. He is a data-driven facilitator, leader, coach and specializes in line management, hiring software engineers, analytics, mobile, and marketing. Harry also enjoys writing and you can read his articles on SitePoint and Medium.

Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form