Several questions on PHP Session security, data storage, and data removal

Question

I have several questions about PHP sessions:

1. I am expecting my Apache server to remove old php session data from server automatically, when the session expires. Is this a setting somewhere in PHP or somewhere else in the server? For example, I have the expiretime already set to 15 minutes, and after a session expires, I'd want this to be deleted from the server, to prevent the build up of 100 thousand session files:

   $expireTime = 60 * 60 * .25; // 15 minute expire time

   session_set_cookie_params($expireTime,"/");

2. To prevent fixation, I do the following on every single page load in the WebApplication:

   session_start();

   session_regenerate_id(); // Prevent Fixation: Regen session ID every page load.

Which leads me to another question - if I regenerate the session ID every time (and because I do this, I create a new session file on my server) - can I somehow delete the previous session file safely, immediately? Or is this bad practice all together?

1. I plan to store a lot of base user information in the session - is this bad practice right away? Information includes:

   • Several ID's related to various permissions in the system. I would do checks on every page to see that their session ID matches an ID of information that is being displayed. BUT - if a user can somehow change their session data, this is obviously not going to work.
   • User first/last name, and email address
   • Other base information about the user, used for display only.

2. I plan to implement IP Checks, so that before the above code, the serve checks the current IP ( $_SERVER['REMOTE_ADDR'] ) and verify it matches the previous IP. If not, I redirect to the login page. If it does, then we can continue on and regen a new session ID as listed above... Thoughts on this?

Is there anything I'm missing for having an accepted Session security solution?

Answer 1

1. PHP is a little confusing when dealing with old session data.

The following php.ini directives play a role when determining what session data to delete:

session.gc_probability
session.gc_divisor
session.gc_maxlifetime

These three directives control the probability, that when issuing a session_start(), PHP will look for, and clean the old sessions.

You can check the exact meaning of these directives here: http://www.php.net/manual/en/session.configuration.php

Also, PHP packages in most distros register a cronjob, that clean the session directory, for example on my ubuntu box, the job runs every 30 minutes, and looks for files that are older that a number of seconds specified in /usr/lib/php5/maxlifetime.

Short: you don't really have to worry about this.

2. You don't have to regenerate the session id on every page load, it is enough to regenerate it at login. (or when the privileges associated with the session id change).

Storing user information in the session is not a bad practice. However, in this case, I would only store the userid, and pull the user information out based on it, on page load.

Imagine the following scenario:

User A logs in.
User B logs in.
User B deletes User A from the system.
User A is still logged in, because has the (now deleted) user data in his session.

Comparing the IP with the IP that made the previous request is okay, just keep in mind that there can be valid reasons for the IP to change, for example if someone is browsing the site with TOR, so give an option to the user to skip this check. (you can also check the browser's user_agent)

Answer 2

I am expecting my Apache server to remove old php session data from server automatically, when the session expires. Is this a setting somewhere in PHP or somewhere else in the server?

The session expiration scheme of PHP’s default session handler is quite complicated and is rather lazy. Although a session is expired in theory, it is not destroyed immediately. PHP uses a garbage collector that removes expired session data.

But the cookie lifetime (i.e. session.cookie_lifetime) has nothing to do with the session expiration. It just controls the cookie’s lifetime and the session can still be valid even if the cookie is expired and vice versa.

See also my answer to How do I expire a PHP session after 30 minutes? for further information.

[…] if I regenerate the session ID […] can I somehow delete the previous session file safely, immediately? Or is this bad practice all together?

No, changing the session ID on a session state change is important. To destroy the session data that is still associated to the old session ID you just need to set the delete_old_session parameter to true, i.e.:

session_regenerate_id(true);

But I wouldn’t change the session ID on every request but only on a session state change like after a successful authentication, after a change of privilege level, etc. Additionally, change the session ID periodically after a certain amount of time (e.g. five minutes).

I plan to implement IP Checks […] and verify it matches the previous IP. […] Thoughts on this?

I don’t think this is a good idea. Because it possible that the client does not have the same IP address during the whole session. Possibly the IP address even changes with every request. Better use other information provided by the client that is less likely to change over multiple requests.

Answer 3

You can write your own session handler to decide yourself how and where to save your session data.

http://php.net/manual/en/function.session-set-save-handler.php

Then you have complete control, and you can save data in the db or in encrypted form.