-1

i did search around to find some informations about session security in PHP, ill found some nice stuff but iam still not sure if this is right and secure for session protectin against common attacks. 

    public static function session_start()
    {
        ini_set('session.cookie_httponly', 1);
        ini_set('session.session.use_only_cookies', 1);
        ini_set('session.entropy_file', '/dev/urando');
        ini_set('session.cookie_lifetime', 0);
        ini_set('session.cookie_secure', 1);
        if(session_status() != 2) session_start();

        //fixation security step
        if(!isset($_SESSION[self::$_CHECK_KEY]) || $_SESSION[self::$_CHECK_KEY] !== self::$_CHECK_VAL)
        {
            session_regenerate_id();
            $_SESSION[self::$_CHECK_KEY] = self::$_CHECK_VAL;
        }

        //Hijacking secuity step
        if(isset($_SESSION[self::$_USER_AGENT]))
        {
            if(self::CryptPass(
                    $_SERVER['HTTP_USER_AGENT'], 
                    self::$_USER_SALT,
                    $_SESSION[self::$_USER_AGENT]) 
                !== $_SESSION[self::$_USER_AGENT])
            {
                $this->ReqLogin = true;
            }
        }
        else
        {
            $_SESSION[self::$_USER_AGENT] = self::CryptPass($_SERVER['HTTP_USER_AGENT'], self::$_USER_SALT);
        }
    }

So i want to know is there anything i can do better? There are things i shouldnt do?

Sebastian Kraft
  • 119
  • 7

1 Answers1

0

Security is a rather wide topic area - there's lots of things your code does not address and you've not defined the security issues being adressed. For instance, this does nothing to secure the session against other users on a shared hosting platform.

Leaving that aside for now, the obvious problem is that the Chrome browser can upgrade itself mid-session (i.e. the user agent changes). I've only seen this with Chrome (and Chromium) browsers, and it should never happen more than once in a session.

Tracking changes in IP address is a good idea - but these too can change mid-session, e.g. load balanced across multiple proxies. But it's rare for the network provider (in the whois data for the address)to change mid session - this can still happen, e.g. if a mobile device moves from an area with only 3G connectivity to a Wifi hotspot.

You haven't provided an explicit method for forcing a change of session id when the authentication state changes. Although the fixation/hijacking covers most eventualities it's still a good idea to do an explicit change here.

symcbean
  • 47,736
  • 6
  • 59
  • 94