Session ID Protection in PHP
Website security is based on session management. When a user connects to a secure site, they provide credentials, usually in the form of a username and password. The web server has no idea what user is already logged in and how it goes from page to page. The session mechanism allows users to not enter a password every time they want to perform a new action or switch to a new page.
In essence, session management ensures that the user who is currently logged in is currently connected. But, unfortunately, sessions have become an obvious target for hackers, since they can allow access to a web server without the need for authentication.
After authenticating the user, the web server provides it with a session ID. This identifier is stored in the browser and is substituted whenever authentication is needed. This avoids repetitive login / password entry processes. All this happens in the background and does not cause discomfort to the user. Imagine if you entered a name and password every time you viewed a new page!
')
In this article I will try to explain all the methods of protecting the session identifier in PHP that I know.
So let's go.
By default, all session information, including the ID, is passed to the cookie. But this is not always the case. Some users disable cookies in their browsers. In this case, the browser will pass the session ID in the URL.
www.example.org/index.php?PHPSESSID=n2cnj59d7s3p30fjs0jfn28nf
Here, the ID is transmitted in clear text, as opposed to a session through a cookie, when the information is hidden in the HTTP header. The easiest way to protect against this would be to prohibit the transmission of the session identifier via the address bar. You can do this by writing the following in the Apache-server .htaccess configuration file:
If your site should handle sensitive information, such as credit card numbers (hello from Sony), you should use SSL3.0 or TSL1.0 encryption. To do this, when setting the cookie, you must specify true for the secure parameter.
If you store the session password in the $ _SESSION variable (it is still better to use sql), then you should not store it in clear form.
The above code is not secure because the password is stored as plain text in the session variable. Instead, use md5 encryption, like this:
To cut off the possibility of using the session from another browser (computer), you should enter the verification of the HTTP-user-agent header field:
Limit the lifetime of the session, as well as the duration of the cookie. By default, the session is valid for 1440 seconds. You can change this value through php.ini and .htaccess. Example for .htaccess:
In certain situations (not always), you should establish a binding by IP address. Mostly when the number of users is limited and have static IP. The check can be either according to the list of allowed IP addresses,
or by IP address for each request (only for static IP):
It should be realized that it is impossible to completely avoid hacking. You can only maximize complicate this hacking by any known means. However, you should also not forget about your legal users, so as not to complicate their lives with such protection.
In essence, session management ensures that the user who is currently logged in is currently connected. But, unfortunately, sessions have become an obvious target for hackers, since they can allow access to a web server without the need for authentication.
After authenticating the user, the web server provides it with a session ID. This identifier is stored in the browser and is substituted whenever authentication is needed. This avoids repetitive login / password entry processes. All this happens in the background and does not cause discomfort to the user. Imagine if you entered a name and password every time you viewed a new page!
')
In this article I will try to explain all the methods of protecting the session identifier in PHP that I know.
So let's go.
Use of cookies
By default, all session information, including the ID, is passed to the cookie. But this is not always the case. Some users disable cookies in their browsers. In this case, the browser will pass the session ID in the URL.
www.example.org/index.php?PHPSESSID=n2cnj59d7s3p30fjs0jfn28nf
Here, the ID is transmitted in clear text, as opposed to a session through a cookie, when the information is hidden in the HTTP header. The easiest way to protect against this would be to prohibit the transmission of the session identifier via the address bar. You can do this by writing the following in the Apache-server .htaccess configuration file:
php_flag session.use_only_cookies onUsing encryption
If your site should handle sensitive information, such as credit card numbers (hello from Sony), you should use SSL3.0 or TSL1.0 encryption. To do this, when setting the cookie, you must specify true for the secure parameter.
If you store the session password in the $ _SESSION variable (it is still better to use sql), then you should not store it in clear form.
if ($_SESSION['password'] == $userpass) { // } The above code is not secure because the password is stored as plain text in the session variable. Instead, use md5 encryption, like this:
if ($_SESSION['md5password'] == md5($userpass)) { // } Browser verification
To cut off the possibility of using the session from another browser (computer), you should enter the verification of the HTTP-user-agent header field:
session_start(); if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { // } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } Duration of the session
Limit the lifetime of the session, as well as the duration of the cookie. By default, the session is valid for 1440 seconds. You can change this value through php.ini and .htaccess. Example for .htaccess:
#
php_value session.gc_maxlifetime 3600
#
php_value session.cookie_lifetime 3600
IP binding
In certain situations (not always), you should establish a binding by IP address. Mostly when the number of users is limited and have static IP. The check can be either according to the list of allowed IP addresses,
include ("ip_list.php"); //$ip_white_list = array ( 'admin1' => '111.222.333.444', 'admin2' => '555.666.777.888'); if(!empty(array_search($_SERVER['REMOTE_ADDR'],$ip_white_list))) { header("Location: admin.php"); } else { echo 'ACCESS DENY!'; } or by IP address for each request (only for static IP):
if(isset($_SESSION['ip']) and $_SESSION['ip'] == $_SERVER['REMOTE_ADDR']) { header("Location: admin.php"); } else { session_unset(); $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; } It should be realized that it is impossible to completely avoid hacking. You can only maximize complicate this hacking by any known means. However, you should also not forget about your legal users, so as not to complicate their lives with such protection.
Source: https://habr.com/ru/post/120636/
All Articles