PHP Protecting from Session Fixation/Hijacking
Even if the session was hijacked, the person could only get the CC number if your script is allowing the user to see the CC number, or there is a dump of the session on your site.
Also keep in mind that it can be unlawful to store CC numbers in a database in plaintext. If your worried about data theft, be sure to encode or encrypt all sensitive data.
Good luck!
Proper session hijacking prevention in PHP
Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration:session_id(sha1(uniqid(microtime()));
This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom
which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.
Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False
, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.
Prevent session hijacking, XSS and network eavesdropping in PHP?
Session hijacking - it is when somebody knows your session identification number, provides it to the severs and, for example, logins with your priveleges.
XSS - cross site scripting, it is connected with badly filtered forms, which allow bad guys to implement their javascript code and still, for example, you cookie files.
They are 2 different forms of attack.
About preventing session hijacking some tips:
1) Set php.ini directives:
session.use_only_cookies = 1 -> for using only cookie based session ids
session.use_trans_sid = 0 -> disable showing PHPSESSID in browser url
2) About sessions
session_start();// -> starts your session.
//Your browser will accept http header with session id and store it.
//You will be identified by this session id, usually PHPSESSID
It is looking like that:
GET / HTTP/1.1
Host: example.org
User-Agent: Mozilla Compatible (MSIE)
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=1234
When session started you can provide any data to php global array $_SESSION, like
$_SESSION['var'] = 'abc';
If someone knows your PHPSESSID, he can send the same http header to the server and start using it, like he is you.
So, the best way to avoid it:
a) use session_regenerate_id() everytime you provide any important data. It will delete old session number and generate a new one.
b) save in $_SESSION you fingers: ip adress and/or browser-agent. If they differs, than - it is not you. For example:
session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
//some code
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
c) use SSL for providing sensitive data.
Hope, you'll find it usefull.
presenting a session id to the server is causing session fixation
This approach it's very dangerous the attacker would be able to take over any sessions that has not been deleted or expired.
To prevent this, add a simple check to change the session ID using session_regenerate_id
.
This function keeps all current session variable values, but replaces the session ID with a new one that an attacker can not know.
To do this, check for a special session variable that you arbitrarily invent. If it doesnt exists, you know that this is a new session, so you simply change the session ID and set the special session variable to note the change
Code:
<?php
session_start();
if(!isset($_SESSION['initiated'])){
session_regenerate_id();
$_SESSION['initiated']=1;
}
if(!isset($_SESSION['count'])) $_SESSION['count']=0;
else ++$_SESSION['count'];
echo $_SESSION['count'];
?>
If you want to be ultra paranoid you can even regenerate the session ID on each request.
Does regenerating a session ID help prevent fixation, hijacking or both?
It'd be a race condition. You'd have 2+ users both sharing the same session ID. At some point your code decides to regenerate the ID, which would send the new ID to one of those users. If the attacker lucks out and their "hit" is the on that gets the regenerated ID, they'll be in the clear and have total control over that session now.
If the actual user gets the regenerated ID, then the attacker is now left with an invalid session ID, and they'll have to try and hijack the freshly regenerated ID and start over again.
PHP session hijack
The user has no acccess to $_SESSION['id']
. He can not modify a variable that's kept on your server (see session
doc).
session_regenerate_id()
has a different purpose. It resets the cookie SID. That's the handle that differentiates users and sessions. It only makes sense to use if you have a secondary identifier (IP or user agent string) to verify. It's main purpose is preventing stale or intersecting sessions. Again, see the manual.
Related Topics
How to Remove Duplicate Values from an Array in PHP
Parse Query String into an Array
File_Get_Contents(): Ssl Operation Failed With Code 1, Failed to Enable Crypto
How to Get Parameters from a Url String
PHP Syntax For Dereferencing Function Result
How to Access This Object Property With an Illegal Name
PHP Function to Generate V4 Uuid
Only Variables Should Be Passed by Reference
How to Display HTML Tags as Plain Text
Should I Manually Check For Errors When Calling "MySQLi_Stmt_Prepare"
Is There a Code Obfuscator For PHP
Angularjs Http Post to PHP and Undefined
Use an Array in a MySQLi Prepared Statement: 'Where .. In(..)' Query
Replace Keys in an Array Based on Another Lookup/Mapping Array