php checking session secure enough?

Question

I have two possibly elementary questions about php SESSIONs and cookies

1) How does the server know when a session terminates? Or when to get rid of the session_id and info etc. (that is, if session_destroy isn't called)

2) Being that on the client side a cookie is stored containing a unique session id that the server uses to identify the individual, if someone were to gain access to that session id they could access all of the same information right? Is there an extra level of security necessary then to identify a user other than simply checking the session information?

Answer 1

How does the server know when a session terminates?

Session is basically a bunch of data, stored on the server. The client is recognized and matched to a specific session by the session ID, stored in the session and on the client side in a cookie with the default name of PHPSESSID . (You can find its value in your browser or using session_id() function in PHP.) If the browser deletes this cookie, the session ID is lost on the client side, and there is no way the client can get back other data stored in the session on the server. This data is eventually deleted by the garbage collector.

The garbage collector is called with some probability each time when session_start() is called. The probability equals to gc_probability / gc_divisor . Garbage collector deletes the session data if the session was around for more than gc_maxlifetime seconds. You can check all these values in phpinfo() output or using eg ini_get('session.gc_maxlifetime') . That's about the session data on the server. Now about the client.

Session configuration contains a value session.cookie_lifetime . Quoting PHP manual :

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0.

From PHP Sessions and security :

0 have special meaning. It tells browsers not to store cookie to permanent storage. Therefore, when browser is terminated, session ID cookie is deleted immediately. If developer set other than 0, it may allow other users to use the session ID. Most applications should use "0" for this. If auto login feature is required, implement your own secure auto login feature. Do not use session ID for it.

You can check the setting using any of the following:

1. phpinfo() , look for session.cookie_lifetime in the session section.
2. session_get_cookie_params()['lifetime']
3. ini_get('session.cookie_lifetime')

So basically, if the session cookie lifetime is 0, the browser deletes it when it is closed and the client loses access to the session data.

If someone were to gain access to that session ID, they could access all of the same information?

Yes. As long as the ID is known to (any) client and the session data is not deleted on the server, the client can access it.

Is there an extra level of security necessary then to identify a user other than simply checking the session information?

It depends on your application. Getting the session ID is not trivial, one needs either to intercept the communication or have direct access to the client data. Interception can be prevented using TLS -based encrypted connection. Getting the client data requires some malicious software.

This article describes a safer cookie implementation for user authentication. In short, while it still doesn't prevent cookie hijacking , it gives you a way to detect it, notify the user and prevent the stolen cookie from being re-used.

Another article lists gives a more complete overview of good practices for user authentication. As usual, security requires that the whole project is implemented in a secure way, not just one, seemingly critical part of it. But if my suggest, don't overdo it. The effort should be reasonable for the particular requirements of each project.