Recipe 11.3. Preventing Session Fixation


11.3.1. Problem

You want to make sure that your application is not vulnerable to session fixation attacks.

11.3.2. Solution

Require the use of session cookies without session identifiers appended to URLs, and generate a new session ID frequently:

ini_set('session.use_only_cookies', true); session_start(); if (!isset($_SESSION['generated'])     || $_SESSION['generated'] < (time() - 30)) {     session_regenerate_id();     $_SESSION['generated'] = time(); }

11.3.3. Discussion

In this example, we start by setting PHP's session behavior to use cookies only. This overrides PHP's default behavior of transparently appending values such as ?PHPSESSID=12345678 to any URL on a page whenever a visitor's session is started if he doesn't have cookies enabled in his browser.

Once the session is started, we set a value that will keep track of the last time a session ID was generated. By requiring a new one to be generated on a regular basis'every 30 seconds in this example'the opportunity for an attacker to obtain a valid session ID is dramatically reduced.

These two approaches combine to virtually eliminate the risk of session fixation. An attacker has a hard time obtaining a valid session ID because it changes so often, and since sessions IDs can only be passed in cookies, a URL-based attack is not possible. Finally, since we enabled the session.use_only_cookies setting, no session cookies will be left lying around in browser histories or in server referrer logs.

11.3.4. See Also

"Session Fixation Vulnerability in Web-based Applications," http://www.acros.si/papers/session_fixation.pdf; Recipe 18.1 for information about regenerating session IDs on privilege escalation.




PHP Cookbook, 2nd Edition
PHP Cookbook: Solutions and Examples for PHP Programmers
ISBN: 0596101015
EAN: 2147483647
Year: 2006
Pages: 445

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net