By myself i use sessions and not cookies, not for any big prupose but sessions are cool, easy to implement.
Steps to session security
1- Not filtered GET, POST, REQUEST data
2- Using session_regenerate_id()
3- Acsepting http only cookies
4- Manually expiring sessions
5- Php.ini modifications
Lets move on
To start a session we start by:
<?php
session_start(); // it starts sessions
?>
A live example is echoing "Hello World"
<?php
session_start();
// string to print
$string = "Hello World";
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>
Simple and cool :D
Not filtered GET, POST, REQUEST data
If you are giving to a session a value from forms make sure to filter all bad charachters.
Here is a live example of a vulnerability:
<?php
session_start();
/* attacker using an evil javascript like:
<script>alert(0)</script>
which will popup a "0"
*/
$string = $_GET['string'];
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>
What happened here is that GET data are not filterd against Cross Site Scripting(XSS Attacks), think when the data get posted in mysql database and attacker executes sql injection scripts.
Make sure this kind of data is always filtered.
Using session_regenerate_id()
Whats all about this function ??
Well this function is very inportant!
a- When you refresh the page you get a new session id
b- When you close the browser the session gets destroyed
c- It will prevent session stealing
To implement it just simply do:
<?php
session_start();
session_regenerate_id();
?>
Acsepting http only cookies
This is an php.ini function, php.ini explains it as: Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. for more about it you can read on php.net
To implement it just simply do:
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
?>
Manually expiring sessions
We can use time() to create a session when we last logged in and destroy it after X time.
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// record last login
$_SESSION['lastlogin'] = time();
?>
When we nextly access it we do a check for expiration:
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// check if session is more old than 20 seconds
if($_SESSION['lastlogin'] > time() - 20){
die("Session expired, please relogin.");
}
?>
Php.ini modifications
We gonna make some modifications on php.ini file.
You can use ctrl+f to search for strings.
session.save_path = "c:/wamp/tmp" (where the sessions will be saved)
session.gc_maxlifetime = 1440 (maximum time session will be alive)
it is good to change this 2 options or more (depending on your needs)
Dont's
It is not a good recomandation to save sessions on a mysql database, it will slow page speed and if data is not filtered things may go bad.
Thanks for reading, I worked alot on writing this tutorial, a bit of share of this post would be nice :D
Great coding. Useful information. Thanks for sharing this information.
ReplyDeletehttp://www.dreamdestinations.in/
sdf
ReplyDeleteThank you very helpfully.
ReplyDeleteThank you, very helpful.
ReplyDelete