What do I need to store in the php session when user logged in?

by

Terminology

  • User: A visitor.
  • Client: A particular web-capable software installed on a particular machine.

Understanding Sessions

In order to understand how to make your session secure, you must first understand how sessions work.

Let’s see this piece of code:

session_start();

As soon as you call that, PHP will look for a cookie called PHPSESSID (by default). If it is not found, it will create one:

PHPSESSID=h8p6eoh3djplmnum2f696e4vq3

If it is found, it takes the value of PHPSESSID and then loads the corresponding session. That value is called a session_id.

That is the only thing the client will know. Whatever you add into the session variable stays on the server, and is never transfered to the client. That variable doesn’t change if you change the content of $_SESSION. It always stays the same until you destroy it or it times out. Therefore, it is useless to try to obfuscate the contents of $_SESSION by hashing it or by other means as the client never receives or sends that information.

Then, in the case of a new session, you will set the variables:

$_SESSION['user'] = 'someuser';

The client will never see that information.

The Problem

A security issue may arise when a malicious user steals the session_id of an other user. Without some kind of check, he will then be free to impersonate that user. We need to find a way to uniquely identify the client (not the user).

One strategy (the most effective) involves checking if the IP of the client who started the session is the same as the IP of the person using the session.

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}

// The Check on subsequent load
if($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) {
    die('Session MAY have been hijacked');
}

The problem with that strategy is that if a client uses a load-balancer, or (on long duration session) the user has a dynamic IP, it will trigger a false alert.

Another strategy involves checking the user-agent of the client:

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT'];
}

// The Check on subsequent load
if($_SESSION['agent'] != $_SERVER['HTTP_USER_AGENT']) {
    die('Session MAY have been hijacked');
}

The downside of that strategy is that if the client upgrades it’s browser or installs an addon (some adds to the user-agent), the user-agent string will change and it will trigger a false alert.

Another strategy is to rotate the session_id on each 5 requests. That way, the session_id theoretically doesn’t stay long enough to be hijacked.

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['count'] = 5;
}

// The Check on subsequent load
if(($_SESSION['count'] -= 1) == 0) {
    session_regenerate_id();
    $_SESSION['count'] = 5;
}

You may combine each of these strategies as you wish, but you will also combine the downsides.

Unfortunately, no solution is fool-proof. If your session_id is compromised, you are pretty much done for. The above strategies are just stop-gap measures.

More Related Contents:

  1. PHP Session Fixation / Hijacking
  2. “Keep Me Logged In” – the best approach
  3. How to properly add cross-site request forgery (CSRF) token using PHP
  4. Preventing session hijacking
  5. Session hijacking and PHP
  6. Is it secure to store a password in a session? [duplicate]
  7. Secure and Flexible Cross-Domain Sessions
  8. Proper session hijacking prevention in PHP
  9. SQL injection that gets around mysql_real_escape_string()
  10. PHP session lost after redirect
  11. PHP: Is mysql_real_escape_string sufficient for cleaning user input?
  12. Keeping session alive with Curl and PHP
  13. cleanup php session files
  14. PHP image upload security check list
  15. Session lost when switching from HTTP to HTTPS in PHP
  16. Stop people uploading malicious PHP files via forms
  17. PHP – Session destroy after closing browser
  18. Detect if PHP session exists
  19. What is PHP session_start()
  20. Remotely destroy a session in php (user logs in somewhere else)?
  21. What does mysql_real_escape_string() do that addslashes() doesn’t?
  22. Why Session object destruction failed
  23. Generate cryptographically secure random numbers in php
  24. Use of Initialization Vector in openssl_encrypt
  25. Secure User Image Upload Capabilities in PHP
  26. Set httpOnly and secure on PHPSESSID cookie in PHP
  27. Reopening a session in PHP
  28. Json: PHP to JavaScript safe or not?
  29. Extending session timeout in PHP via the .htaccess
  30. saving checkbox state on reload

Leave a Comment