11.3.1. ProblemYou want to make sure that your application is not vulnerable to session fixation attacks. 11.3.2. SolutionRequire the use of session cookies without session identifiers appended to URLs, and generate a new session ID frequently: ini_set('session.use_only_cookies', true); session_start(); if (!isset($_SESSION['generated']) || $_SESSION['generated'] < (time() - 30)) { session_regenerate_id(); $_SESSION['generated'] = time(); } 11.3.3. DiscussionIn this example, we start by setting PHP's session behavior to use cookies only. This overrides PHP's default behavior of transparently appending values such as ?PHPSESSID=12345678 to any URL on a page whenever a visitor's session is started if he doesn't have cookies enabled in his browser. Once the session is started, we set a value that will keep track of the last time a session ID was generated. By requiring a new one to be generated on a regular basis'every 30 seconds in this example'the opportunity for an attacker to obtain a valid session ID is dramatically reduced. These two approaches combine to virtually eliminate the risk of session fixation. An attacker has a hard time obtaining a valid session ID because it changes so often, and since sessions IDs can only be passed in cookies, a URL-based attack is not possible. Finally, since we enabled the session.use_only_cookies setting, no session cookies will be left lying around in browser histories or in server referrer logs. 11.3.4. See Also"Session Fixation Vulnerability in Web-based Applications," http://www.acros.si/papers/session_fixation.pdf; Recipe 18.1 for information about regenerating session IDs on privilege escalation. |