php-security

Preventing session hijacking and forgery attacks

Regenerating session IDs
.
- Why?
- Shortens the amount of time the session identifier is exposed
- How?
- session_regenerate_id()
Providing a logout option
.
- Why?
- Shortens the time session identifier is active
- Destroys actual session data
- How?
- Unset $_SESSION values
- Expire session cookie
- Run session_destroy()

Keeping sessions short
.

Do this for sensitive operations
Why?
Limits the exposure to attack
How?
Set up a timer file
If session is past time:
Reset $_SESSION, expire cookie, run session_destroy()
Important!
session.cache_limiter, session.cache_expire do not affect lifetime of the session!

Do not rely solely on session ID
.

Build a "profile" of the user:
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["REMOTE_ADDR"]
$_SERVER["HTTP_ACCEPT_LANGUAGE"]
Reasonable date and time

Preventing session hijacking and forgery attacks

Regenerating session IDs

Why?
Shortens the amount of time the session identifier is exposed
How?
session_regenerate_id()

Providing a logout option

Why?
Shortens the time session identifier is active
Destroys actual session data
How?
Unset $_SESSION values
Expire session cookie
Run session_destroy()

Keeping sessions short

Do this for sensitive operations
Why?
Limits the exposure to attack
How?
Set up a timer file
If session is past time:
Reset $_SESSION, expire cookie, run session_destroy()
Important!
session.cache_limiter, session.cache_expire do not affect lifetime of the session!

Do not rely solely on session ID

Build a "profile" of the user:
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["REMOTE_ADDR"]
$_SERVER["HTTP_ACCEPT_LANGUAGE"]
Reasonable date and time

Preventing session hijacking and forgery attacks

Regenerating session IDs

Why?Shortens the amount of time the session identifier is exposedHow?session_regenerate_id()

Providing a logout option

Why?Shortens the time session identifier is activeDestroys actual session dataHow?Unset $_SESSION valuesExpire session cookieRun session_destroy()

Keeping sessions short

Do this for sensitive operationsWhy?Limits the exposure to attackHow?Set up a timer fileIf session is past time:Reset $_SESSION, expire cookie, run session_destroy()Important!session.cache_limiter, session.cache_expire do not affect lifetime of the session!

Do not rely solely on session ID

Build a "profile" of the user:$_SERVER["HTTP_USER_AGENT"]$_SERVER["REMOTE_ADDR"]$_SERVER["HTTP_ACCEPT_LANGUAGE"]Reasonable date and time

Why?
Shortens the amount of time the session identifier is exposed
How?
session_regenerate_id()

Why?
Shortens the time session identifier is active
Destroys actual session data
How?
Unset $_SESSION values
Expire session cookie
Run session_destroy()

Do this for sensitive operations
Why?
Limits the exposure to attack
How?
Set up a timer file
If session is past time:
Reset $_SESSION, expire cookie, run session_destroy()
Important!
session.cache_limiter, session.cache_expire do not affect lifetime of the session!

Build a "profile" of the user:
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["REMOTE_ADDR"]
$_SERVER["HTTP_ACCEPT_LANGUAGE"]
Reasonable date and time