Sep 29, 2012

Session security tutorial, protection against session hijacking and hackers


When it comes to session security lot of webmasters like to skip it.
By myself i use sessions and not cookies, not for any big prupose but sessions are cool, easy to implement.

Steps to session security


1- Not filtered GET, POST, REQUEST data
2- Using session_regenerate_id()
3- Acsepting http only cookies
4- Manually expiring sessions
5- Php.ini modifications

Lets move on


To start a session we start by:
<?php
session_start(); // it starts sessions
?>

A live example is echoing "Hello World"
<?php
session_start();
// string to print
$string = "Hello World";
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>

Simple and cool :D

Not filtered GET, POST, REQUEST data


If you are giving to a session a value from forms make sure to filter all bad charachters.

Here is a live example of a vulnerability:
<?php
session_start();
/* attacker using an evil javascript like:
<script>alert(0)</script>
which will popup a "0"
*/
$string = $_GET['string'];
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>

What happened here is that GET data are not filterd against Cross Site Scripting(XSS Attacks), think when the data get posted in mysql database and attacker executes sql injection scripts.
Make sure this kind of data is always filtered.

Using session_regenerate_id()


Whats all about this function ??
Well this function is very inportant!

a- When you refresh the page you get a new session id
b- When you close the browser the session gets destroyed
c- It will prevent session stealing

To implement it just simply do:
<?php
session_start();
session_regenerate_id();
?>

Acsepting http only cookies


This is an php.ini function, php.ini explains it as: Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. for more about it you can read on php.net

To implement it just simply do:
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
?>

Manually expiring sessions



We can use time() to create a session when we last logged in and destroy it after X time.
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// record last login
$_SESSION['lastlogin'] = time();
?>

When we nextly access it we do a check for expiration:
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// check if session is more old than 20 seconds
if($_SESSION['lastlogin'] > time() - 20){
die("Session expired, please relogin.");
}
?>

Php.ini modifications



We gonna make some modifications on php.ini file.
You can use ctrl+f to search for strings.
session.save_path = "c:/wamp/tmp" (where the sessions will be saved)
session.gc_maxlifetime = 1440 (maximum time session will be alive)

it is good to change this 2 options or more (depending on your needs)

Dont's


It is not a good recomandation to save sessions on a mysql database, it will slow page speed and if data is not filtered things may go bad.

Thanks for reading, I worked alot on writing this tutorial, a bit of share of this post would be nice :D

4 comments: