Menu
I am trying to secure my sessions. While doing some research, I reckoned that PHP's PHPSESSID+random hash based on Agent and IP is good enough to secure against hijacking. What else can you do, really.
I am using HTTPS for the login. As far as I could understand, the session data from PHP is never sent to the user, but rather stored on the server-side. The client only gets the id for the session. The session data holds the actual webapp's user session, which in turn is used to check if the login is valid. All fine and dandy.
However, there is a detail I can't find anywhere. I would like to to know if the cookie containing the PHP session id is automatically marked secure if I am using HTTPS. I did some google searches but never seemed to get the right search string because i only find ways of manually sending cookies. I would like to know because if that cookie is sent clear-text, it would compromise some of the security via man-in-the-middle.
This is an addition for @ircmaxell
I tried out your method but somehow I still get the cookie when I switch from HTTPS back to HTTP. The way it should work is the following. Whenever the server is aware that a user session is available, it sets the secure flag. This means that the entire site runs on SSL as soon as you are logged in and refuses to give away/use the cookie whenever you don't use SSL. Or at least, that's the idea.
if ($SysKey['user']['session_id'] != '') {
session_set_cookie_params(60*60*24*7, '/', $SysKey['server']['site'], true, true);
}
I assume I need to regenerate the id since the Browser already had the cookie before the login but since I can only try it out in a few hours, I'll ask here before trying
I just found out that you have to set these settings before starting the session. That was my problem. I am now using 2 different cookies. One for the regular guest that is sent via http, and a second for logged in users that is only sent via ssl.
970
Session cookies store information about a user session after the user logs in to an application. This information is very sensitive, since an attacker can use a session cookie to impersonate the victim (see more about Session Hijacking).
Sessions are NOT serverside, they are stored on the clients local machine (you can go in your cookies and look for a cookie called phpssid under your domain name). Yes they can be hacked, and this is in fact a very common method of hacking.
Yes. PHP sessions rely on a cookie containing a session key. Your session data are stored only on your server, but a unique ID is assigned to each session and that ID gets saved in a cookie.
How it works. The session data are encrypted using a random key stored in a cookie variable starting with the prefix KEY_ . This random key is generated using the random_bytes() function of PHP 7.
Don't even think about rolling your own session handler!
PHP's session has been broken many times, and because of this it has been made more secure now than ever before. When a new issue is found it will be fixed quickly and for FREE. However, you might want to add these options:
session.cookie_secure=True
session.cookie_httponly=True
session.use_cookies=True
session.use_only_cookies=True
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
