1

I have a session formed the following way:

function sec_session_start() {
$session_name = 'primary_session';
$secure = false;
$httponly = true;
if (ini_set('session.use_only_cookies', 1) === FALSE) {
    header("Location: /error?e=1");
    exit();
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params(3600,$cookieParams["path"],$cookieParams["domain"],$secure,$httponly);
session_name($session_name);
session_start();
session_regenerate_id(true);
}

I use this on all my page by adding sec_session_start(); on my index page, which requires correct files depending on what page I am accessing.

It works perfectly fine with slow navigation.

However, when rapid navigational clicks occur, for some reason it unchecked, and the user is logged out. How come?

This is the button I press rapidly. NOTE: It also changes the page from www.example.com to www.example.com/users, and then just repeats www.example.com/users until session is broken.

User Logged In

And this is the result after about, 2-3 rapid clicks. Works fine when pressed 1-2 times a second, max.

User logged out

I have tried not using it as a function, and putting it on the absolutt TOP of the page without success.

Gjert
  • 1,069
  • 1
  • 18
  • 48
  • I think, that maybe that seems to be a feature of your browser. Maybe when your browser sees that you are trying to reload a page it, makes a full reload where the cache and maybe also cookies are cleared so that the session cookie is not avaible anymore and you are logged out. (This is my idea, i did not test anything.) – Reflic Feb 02 '16 at 20:17
  • Occurs in all browsers, including latest Safari and Mozilla update. Besides, cookie time is 1 hour. – Gjert Feb 02 '16 at 20:18
  • @Reflic Agree, however, could it be a php.ini issue? I have no such file and use all standard options.. – Gjert Feb 02 '16 at 20:20
  • @Reflic Would love if you could up vote to raise more attention. It's such a weird issue. Never experienced it before... – Gjert Feb 02 '16 at 20:28
  • I think i found the error. Why are you using ´session_regenerate()´ here? – Reflic Feb 02 '16 at 20:31
  • @Reflic, Tested without, not the problem. I use it to prevent session fixation attacks. – Gjert Feb 02 '16 at 20:35

2 Answers2

1

The error seems to be session_regenerate(true).

This command generates a new session id. The parameter will delete the old session file if it is set to true. In this code it is set to true, so the session is created an started and then directly closed and deleted.

I think it appears only a few times because the command is called after session_start() was called and the output already started.

Try changing the parameter to false. For the right use of session_regenerate() look into this question.

Community
  • 1
  • 1
Reflic
  • 1,411
  • 15
  • 25
  • Edit: Yes, it worked. Just took some time for the update to go through. Thank you! However, quick question, how can I prevent this, but still stay safe from session fixation attacks? – Gjert Feb 02 '16 at 20:44
  • When I have understood the other question right, session_regenrate() prevents you from session fixation attacks, also with out deleting the session data. – Reflic Feb 02 '16 at 21:19
0

You appear to be discarding the old session ID on every page load. This is unnecessary, inefficient, and causes breakage.

If you navigate twice in quick succession what can happen here is:

  • the first request hits the server and starts executing your PHP, causing session_regenerate_id(true) to destroy the old session
  • this will cause the response from the PHP script to include a Set-Cookie: sessionid=something header, asking the browser to update its cookie to point to the new session
  • but the browser hasn't received the response from the script quite yet
  • you click a second time
  • the browser discards the existing request. Any Set-Cookie header isn't going to get listened to now
  • the browser makes a new request to your server. The browser doesn't know anything about a new session, so it includes the old session cookie
  • your script sees the old session cookie, which points to nothing, so user has to start a new session which isn't logged in

If you have an anti-Cross-Site-Request-Forgery system based on storing a synchroniser token in the session, then regenerating the session ID on every page load will also make any forms you use inoperable when the browser has multiple tabs open on the site at once, or when the user navigates with the Back button.

You should only session_regenerate_id when the authentication associated with a session is changed (primarily, when the user logs in).

Changing session IDs does not prevent session fixation; it is only a mitigation for when session fixation has already occurred through some other means (eg a vulnerable app on a neighbour subdomain injects a cookie into the shared parent domain).

If you didn't change the session ID, then an attacker who had already gained session fixation could get a full session hijack, by giving you a session ID she already generated and knows, and letting you log in using that session, upgrading it to an authenticated session. When you change the session ID on auth boundaries that isn't possible; the worst she can do now is push you into a session in which you are unexpectedly logged in as her. Which isn't ideal, but generally this constitutes a much less damaging attack.

bobince
  • 528,062
  • 107
  • 651
  • 834
  • So basically I use it on login/logout? or whenever I need to change password for example? :) – Gjert Feb 03 '16 at 08:19
  • Certainly on login and any alternative paths that lead to authentication (eg signup, forgotten password). Some applications might have concepts of different authentication levels which would also need it (eg you can be persistently ‘logged in’ but still need to reauthenticate before doing sensitive operations), plus if you have a change-user function. Logout probably could be included for consistency, though I can't think of any attack involving fixing a session which then becomes *less* privileged. – bobince Feb 03 '16 at 13:39