PHP Security - Prevent Session Hijacking and Fixation

Most of the PHP programmer used session to preserve certain data across subsequent pages. Nothing wrong with this method, since the web is stateless, most of the web developer used session to maintain a login site.

Usually, how we achieved this is to place a session cookie, in the form of a session ID (a 32 byte alpha-numeric string), on the client browser. When the client’s browser has cookies disabled, the session cannot be stored, so PHP propagates the session ID to the end of each URI on the page. So now, you may have noticed that an attacker may be capable of exploiting this vulnerability by constructing a malicious link containing script code embedded within this variable. PHP developer needs to take extra measurements to ensure the integrity of the session.

As a programmer, you need to ensure that a user’s session cannot be provided by attacker who seeks to hijack user’s session. One simple method to solve the problem is to regenerate session with session_regenerate_id() when there is a changes in user privileges, for example when user successfully login to the registered user’s restricted pages:

<?php
 
session_regenerate_id();
$_SESSION['logged_in'] = TRUE;
 
?>

By using session_regenerate_id(), you help to minimize session fixation dramatically.

Post a comment Post a CommentTrackback URI Trackback URI

XML RSS 2.0 feed for these comments

This entry (permalink) was posted on Wednesday, March 5th, 2008 at 1:55 PM by Kelvin and categorized in php, security.

Post a Comment

*Required
*Required (Never published)
 
« PHP-GTK 2.0.0 Released
PHP by example - Connecting to MySQL via PDO »
Home