Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP: best solution against hijacking sessions [duplicate]

Tags:

security

php

What are some guidelines for maintaining responsible session security with PHP? There's information all over the web and it's about time it all landed in one place!

like image 269
saint_groceon Avatar asked Jun 28 '26 11:06

saint_groceon


2 Answers

There are a couple of things to do in order to keep your session secure:

  1. Use SSL when authenticating users or performing sensitive operations.
  2. Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
  3. Have sessions time out
  4. Don't use register globals
  5. Store authentication details on the server. That is, don't send details such as username in the cookie.
  6. Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking. You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
  7. Lock down access to the sessions on the file system or use custom session handling
  8. For sensitive operations consider requiring logged in users to provide their authenication details again
like image 108
grom Avatar answered Jul 01 '26 01:07

grom


One guideline is to call session_regenerate_id every time a session's security level changes. This helps prevent session hijacking.

like image 35
saint_groceon Avatar answered Jul 01 '26 01:07

saint_groceon