What is a good and secure session name?

Question

Background

I've been a php developer for several years but mostly using a open source CMS such as wordpress or drupal. Both of these manage sessions in their own way and for the most part I never paid attention to them. Now I am building a custom website without using these cms's which means I need to manage the session myself. As this has lots of security implications I wanted more information about it. I understand security threats affecting form building and url's and general input but very little about session threats.

I noticed in my chrome inspector that my session cookie was named "PHPSESSIONID". This is of course kind of gross. So I found I could change it using either php.ini setting session.name = "mysitename" or change it in the code using some value such as session_name('mysite_' . $some_value);

The question.

What should I be setting this session name too? Is there a web standard for this? I did search for one and found nothing maybe I have the wrong key-words.

What are the security implications of setting this name? Should I include some specific variable in the name or not include a variable due to some possible conflicts. I'm really starting from scratch on the security side here so any info helps.

Answer 1

Changing this name will not have a great impact is as far as I know you do not need to care about this too much. The PHPSESSIONID is the inofficial name for it and therefor does not give so much information about it.

A more important part to prevent abuse of sessions is the use of tokens in any forms. If you need more information about this just tell me.

Another very important aspect is a possible SQL Injection attack which could have an critical impact since you handle sensitive information. To prevent this I recommend the use of prepared statements, more about this here

But back to your sessions, it is very important that you call session_sart at every start of any script and do some testing, I will give you my way of handling sessions below (any critics are highly welcome). This session should have some flags set, like the secure flag and http only, more about php session flags here

Further Sessions should have a limited time and be automatic discarded after this has expired. Another minor point is to regenerate the session id (the value, not the name ;) ) everytime a new session starts, this function does exactly this. Just call it when a user logs in.

I hope this helps, if you have any more questions feel free to ask.

And here is my function which is called at the beginning of every file, except the login page of course:

function auth()
{   
    $curFile = basename($_SERVER["PHP_SELF"]);
    if($curFile == "login.php")
    {
        return;
    }

    $domain = $_SERVER["HTTP_HOST"];

    if(session_status() != PHP_SESSION_ACTIVE)
    {   
        session_set_cookie_params(0, "/", $domain, true, true);
        session_start();
    }

    $now = time();
    if (isset($_SESSION["discard_after"]) && $now > $_SESSION["discard_after"])
    {
        session_unset();
        session_destroy();
        session_set_cookie_params(0, "/", $domain, true, true);
        session_start();
    }

    session_regenerate_id(true);

    $_SESSION["discard_after"] = $now + 120;

    if ((!isset($_SESSION["angemeldet"]) || !$_SESSION["angemeldet"]) && basename($_SERVER["PHP_SELF"]) != "login.php")
    {
        header("Location: https://".$domain."/login.php");
        die();
    }
}

In my login file I set the session as follows:

session_set_cookie_params(1800, "/", $domain, true, true);
session_start();
session_regenerate_id(true);
//Do whatever you want to do to your $_SESSION
$_SESSION["angemeldet"] = true;
$_SESSION["name"] = "Fany name";
//...