1

Possible Duplicate:
PHP Session Security

I am using sessions all throughout my application. I want to make them much more secure. Currently I am using code like $username = $_SESSION['username']; and the like.

How do I make my sessions more secure?

Community
  • 1
  • 1
sarthak
  • 13
  • 3
  • 1
    You are just assign a value to a variable. This code out of the scope is not much significant. Why do you think your approach is not secure? – Francesco Laurita Jan 25 '11 at 21:01
  • You can also store the client's IP address and browser User Agent in a session variable when he logs in. That way you can verify this on each subsequent request. It's a lot easier to spoof the session id than an IP address – dirkbonhomme Jan 25 '11 at 21:12

3 Answers3

4

The first thing you'll want to watch out for is Session Hijacking. To quote Wikipedia:

In computer science, session hijacking refers to the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

The basic idea is, if a visitor to your website (Alice) has a session cookie and a session ID (let's assume it's 12345), then if a malicious user (Mallory) is able to learn Alice's session ID via either JavaScript, traffic sniffing, social engineering or other methods, then Mallory can browse to your site and set his session ID to 12345 and he effectively becomes Alice.

One way to prevent this is to alter the session ID on every request, which you can do via the PHP session_regenerate_id function. You would call session_regenerate_id at the beginning of every request, after calling session_start()

Please be aware that this is a very complicated topic. I'd highly recommended reading the Wikipedia article and making sure you fully understand the issues at play.

EDIT: I was about to type a lot more information out for you, but then I realized that your question really is a duplicate of this StackOverflow question. I'd recommended reading that as a starting point.

Community
  • 1
  • 1
Josh
  • 10,961
  • 11
  • 65
  • 108
2

It depends a lot what you are trying to protects. If you are worried about that the information contained in the session could be exposed or modified, you don't have to worry about that since it can only be seen and modified by the server.

If you are worried about the possibility that some people could use other people session, you can do the following :

  • Analyze your code and make sure you have no XSS flaw.
  • Use SSL to prevent session hijacking if your visitor are using public network.
  • Make sure your session are using the HTTP Only flag
HoLyVieR
  • 10,985
  • 5
  • 42
  • 67
-1

Use md5 version of a password in the database and then md5 encrypt the session password, so that if the password is correct, then these 2 values will be the same.

user589692
  • 1