php sessions security query

Question

Thanks for your replies. I have updated my PHP session code.

I have got rid of the user agent check as @Rook has shown me the flaws in the logic.

Unfortunetly I messed up the original question by editing it now I cant get it back sorry guys but @Rook did solve the original question I had.

Thanks again for your help guys, daza166

Answer 1

Nothing that you are doing is really improving the strength of a session. You have to be clear about what attack you are defending against because your checks do not prevent attack. A good example is checking the user-agent which is trivial to spoof. Rolling the session id, doesn't help if even one value is leaked or you have an XSS/CSRF vulnerability then the attacker has control of the session.

Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".

You should use this code in a php header file:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).

Answer 2

If a logged-in user does not log out of his account and the session thus never gets destroyed ie (logout-page.php), would the session die when the browser closes? Reason I ask is if the user does not log out when browser closed, when browser re-opened, the site says user is still logged in.

No. The session is managed on the server side and the client does only get the session ID for identification. Closing the browser would only destroy session cookies (i.e. cookies that is only valid during the current browser session) that hold the session IDs but not the associated sessions. If the same session is used after re-opening the browser, the session’s cookie is probably not a real session cookie but a persistent cookie. You can adjust that setting session.cookie_lifetime to 0.

Is it best to keep the user logged in (ie login.php - enter details once->start session) rather then requiring user to keep logging in, as mentioned if an error occurs on my scripts or if certain pages user accesses I destroy the session (ie log them out)?

In general, as you use the session for a user authentication purpose, you should only demand for re-authentication if you have doubts about the current user’s authentication (e.g. user agent changed) or if you want an additional authentication confirmation (e.g. privilege changes, as evidence for non-repudiation, etc.).