Daily Archives: April 26, 2018

PHP

Session Security

Leave a comment

Counter Measures

• Regenerate the session id upon login, before authentication, using session_regenerate_id(true). passing boolean true removes the old session and is critical as a counter measure

• Also, regenerate session id prior to “critical” operations

• Use ssl encryption for the login, or assign a hidden key (not as good)

• Check that the ip address remains the same (although not always reliable)

• Use short session timeout

• Provide user logout

• Destroy an old and create a new session with: session_regenerate_id(true)

• Set php configuration directive session.use_only_cookies = 1

• Prevent javascript access to session cookie with php configuration directive session.cookie_httponly = 1

PHP

cgi.force_redirect

Leave a comment

The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php. Instead, PHP will only parse in this mode if it has gone through a web server redirect rule. PHP older than 4.2.0 used –enable-force-cgi-redirect compile time option for this.

Usually the redirection in the Apache configuration is done with the following directives:

Action php-script /cgi-bin/php
AddHandler php-script .php

This option has only been tested with the Apache web server, and relies on Apache to set the non-standard CGI environment variable REDIRECT_STATUS on redirected requests. If your web server does not support any way of telling if the request is direct or redirected, you cannot use this option and you must use one of the other ways of running the CGI version.

PHP

session_regenerate_id

Leave a comment

session_regenerate_id — Update the current session id with a newly generated one

session_regenerate_id() will replace the current session id with a new one, and keep the current session information.

When session.use_trans_sid is enabled, output must be started after session_regenerate_id() call. Otherwise, old session ID is used.

Example

<?php
 session_start();

if (isset($_SESSION['destroyed'])
 && $_SESSION['destroyed'] < time() - 300) {
 remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
 throw(new DestroyedSessionAccessException);
 }

$old_sessionid = session_id();
 $_SESSION['destroyed'] = time(); 
 session_regenerate_id();
 unset($_SESSION['destroyed']);
 $new_sessionid = session_id();
 echo "Old Session: $old_sessionid<br />";
 echo "New Session: $new_sessionid<br />";

print_r($_SESSION);
?>