Protect from Web Session Attacks

Question

I am a student working on a web application design. I am new to web session and security issues related to web session.

On this page: Session Replay vs Session Fixation vs Session Hijacking, a Stackexchange user listed ways to be protected from session attacks (e.g. session replay, session fixation, session hijacking).

May I ask whether the points listed in the webpage above is sufficient to be protected from session attacks? If not, may you list down other things that I need to do to be protected from session attacks?

Answer 1

There are numerous "session" attacks possible, and that link does not enumerate them all.

I would highly recommend referring to the OWASP Session Management Cheat Sheet for a more comprehensive look at session management security. In case you're not familiar, OWASP is the "Open Web Application Security Project," which is one of the key open source resources for web application security. They also produce the OWASP Top 10, which attempts to enumerate the most common web application security issues.

Some potential session security attributes to consider that are not covered by your link:

• Session ID Randomness
• More detailed information on TLS Security
• The Secure and SameSite attributes for cookies (in addition to HTTP Only)
• Session ID Expiration and Lifecycle

This link also has PHP specific guidance, covering Session Lifecycle, Session ID, Session Cookie, and Session data storage.

I'd also highly recommend using a standard PHP library for session management, which will abstract many of these problems away from you. The appropriate library will depend on the framework you're using.