Tag Archives: session

magento 2 increase session timeout

  • Log in to Magento using your administrator account.
    In the left sidebar, click Stores, and then under Settings, click Configuration.
  • Click Advanced, and then click Admin.
    Under Security, in the Admin Session Lifetime (seconds) text box,
  • type the session timeout interval in seconds that you want to use. For example, a value of 1200 sets a timeout interval of 20 minutes.
  • Click Save Config.
  • Log out of Magento, and then log back in. The new session timeout interval is now active.

Cookies

Way of storing data in a browser to id / track a user . Create (set) cookies with the setcookie() or setrawcookie() function and It must be called before sending any output to browser .

It can delay script output using output buffering, to allow time to decide to set cookies or send headers

Setcookie() params are defined according to specifications:

  • $name=value string
  • $value=value string
  • $expire=date optional; default is session end
  • $path=path specifies urls in a domain for which cookie is valid
  • $domain=domain_name check on domain attributes of cookies against host internet domain name
  • $secure cookie only transmitted via secure channels (https); boolean
  • $httponly cookie only made accessible via http protocol, not javascript; boolean

Access with $_cookie or $_request superglobals . Cookie data from the client is automatically sent to $_cookie, if params of variables_order() include “c” (environment/get/post/cookie/server) . It will overwrite itself if name, path, domain, secure, and http_only are identical .

Cookies are part of the http header o as with sessions, multiple values can be assigned to an array and To assign all values to only one cookie, can use serialize() or implode() with first value

Session Security

Counter Measures

• Regenerate the session id upon login, before authentication, using session_regenerate_id(true). passing boolean true removes the old session and is critical as a counter measure

• Also, regenerate session id prior to “critical” operations

• Use ssl encryption for the login, or assign a hidden key (not as good)

• Check that the ip address remains the same (although not always reliable)

• Use short session timeout

• Provide user logout

• Destroy an old and create a new session with: session_regenerate_id(true)

• Set php configuration directive session.use_only_cookies = 1

• Prevent javascript access to session cookie with php configuration directive session.cookie_httponly = 1

Session Fixation

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it.

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim’s browser, so the attack starts before the user logs in.

There are several techniques to execute the attack; it depends on how the Web application deals with session tokens. Below are some of the most common techniques:

• Session token in the URL argument: The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.

• Session token in a hidden form field: In this method, the victim must be tricked to authenticate in the target Web Server, using a login form developed for the attacker. The form could be hosted in the evil web server or directly in html formatted e-mail.

• Session ID in a cookie:

The following helps to protect against session hijacking and fixation attacks.

  • Use SSL and set the $secure cookie parameter to true .
  • Set the session.use_only_cookies php.ini parameter to 1 .
  • Protect against XSS vulnerabilities in the application.
  • Rotate the session id on successful login and logout using session_regenerate_id()

Cookie Hijacking

Cookie Hijacking, sometimes also known as session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s compute

Session Hijacking

Cookie Hijacking, sometimes also known as session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s compute

The following helps to protect against session hijacking and fixation attacks.

  • Use SSL and set the $secure cookie parameter to true .
  • Set the session.use_only_cookies php.ini parameter to 1 .
  • Protect against XSS vulnerabilities in the application.
  • Rotate the session id on successful login and logout using session_regenerate_id()

Magento Session

Set session
=========

$myData = ‘PHPCodez’;
Mage::getSingleton(‘core/session’)->setMydata($myData);

get session value
=========

$myData = ”;
$myData=Mage::getSingleton(‘core/session’)->getMyData();

Unset session
=========

Mage::getSingleton(‘core/session’)->unsMyData();