2

I am new to PHP and I am not familiar with session management. I am creating a e-commerce website so I need to create a hack-proof session. For that I googled a lot about how to prevent session hijacking. The sources I read suggest that I include in my code these functions:

\\some saying to use this
 session_start();
session_regenerate_id(true);
\\some others saying to use this
 session_start();
session_regenerate_id();

…and also to use HTTPS/TLS. In another of the stackoverflow post I came across this stuff:

  • use enough random input for generating the session ID (see session.entropy_file, session.entropy_length, and session.hash_function)
  • use HTTPS to protect the session ID during transmission
  • store the session ID in a cookie and not in the URL to avoid leakage though Referer (see session.use_only_cookies)
  • set the cookie with the HttpOnly and Secure attributes to forbid access via JavaScript (in case of XSS vulnerabilities) and to forbid transmission via insecure channel (see session.cookie_httponly and session.cookie_secure)

But I cannot understand those. It’s just theory to me; instead what I would like to have is some PHP code does those things—or any website having those things implemented, with PHP code that I could see and us as an example (and that ideally had some explanation to go along with it).

Community
  • 1
  • 1
Arun karthi Mani
  • 100
  • 1
  • 3
  • 15
  • If you don't want to use a CMS, I would recommend to use a framework. Frameworks gives you a lot of "free" security. [Laravel](http://laravel.com/) is one of the most popular PHP frameworks and includes an auth function that should help you with point 1, 3 and 4. – SebHallin Sep 13 '15 at 09:46
  • @SebastianHallin i have been also using frameworks like codeignitor etc.. but i don't have knowledge in sessions . I want to gain knowledge in it – Arun karthi Mani Sep 13 '15 at 10:05
  • @SebastianHallin please help me or direct me to gain knowledge in it i even don't kow to use cookies properly , I already figured out sql injection and hashing but in case of sessions i lack knowledge it – Arun karthi Mani Sep 13 '15 at 10:08

1 Answers1

7

Session hijacking - it is when somebody knows your session identification number, provides it to the severs and, for example, logins with your priveleges.

XSS - cross site scripting, it is connected with badly filtered forms, which allow bad guys to implement their javascript code and still, for example, you cookie files. They are 2 different forms of attack.

About preventing session hijacking some tips: 1) Set php.ini directives:

session.use_only_cookies = 1 -> for using only cookie based session ids
session.use_trans_sid = 0 -> disable showing PHPSESSID in browser url

2) About sessions

session_start();// -> starts your session. 
//Your browser will accept http header with session id and store it.
//You will be identified by this session id, usually PHPSESSID

It is looking like that:

GET / HTTP/1.1
Host: example.org
User-Agent: Mozilla Compatible (MSIE)
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=1234

When session started you can provide any data to php global array $_SESSION, like

$_SESSION['var'] = 'abc';

If someone knows your PHPSESSID, he can send the same http header to the server and start using it, like he is you.

So, the best way to avoid it:

a) use session_regenerate_id() everytime you provide any important data. It will delete old session number and generate a new one.

b) save in $_SESSION you fingers: ip adress and/or browser-agent. If they differs, than - it is not you. For example:

session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
     {
         //some code
     }
}
else
{
     $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

c) use SSL for providing sensitive data.

Hope, you'll find it usefull.

Dmitrii Cheremisin
  • 1,498
  • 10
  • 11