I am new to PHP and I am not familiar with session management. I am creating a e-commerce website so I need to create a hack-proof session. For that I googled a lot about how to prevent session hijacking. The sources I read suggest that I include in my code these functions:
\\some saying to use this
session_start();
session_regenerate_id(true);
\\some others saying to use this
session_start();
session_regenerate_id();
…and also to use HTTPS/TLS. In another of the stackoverflow post I came across this stuff:
- use enough random input for generating the session ID (see session.entropy_file, session.entropy_length, and session.hash_function)
- use HTTPS to protect the session ID during transmission
- store the session ID in a cookie and not in the URL to avoid leakage though Referer (see session.use_only_cookies)
- set the cookie with the HttpOnly and Secure attributes to forbid access via JavaScript (in case of XSS vulnerabilities) and to forbid transmission via insecure channel (see session.cookie_httponly and session.cookie_secure)
But I cannot understand those. It's just theory to me; instead what I would like to have is some PHP code does those things—or any website having those things implemented, with PHP code that I could see and us as an example (and that ideally had some explanation to go along with it).
Session hijacking - it is when somebody knows your session identification number, provides it to the severs and, for example, logins with your priveleges.
XSS - cross site scripting, it is connected with badly filtered forms, which allow bad guys to implement their javascript code and still, for example, you cookie files. They are 2 different forms of attack.
About preventing session hijacking some tips: 1) Set php.ini directives:
session.use_only_cookies = 1 -> for using only cookie based session ids
session.use_trans_sid = 0 -> disable showing PHPSESSID in browser url
2) About sessions
session_start();// -> starts your session.
//Your browser will accept http header with session id and store it.
//You will be identified by this session id, usually PHPSESSID
It is looking like that:
GET / HTTP/1.1
Host: example.org
User-Agent: Mozilla Compatible (MSIE)
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=1234
When session started you can provide any data to php global array $_SESSION, like
$_SESSION['var'] = 'abc';
If someone knows your PHPSESSID, he can send the same http header to the server and start using it, like he is you.
So, the best way to avoid it:
a) use session_regenerate_id() everytime you provide any important data. It will delete old session number and generate a new one.
b) save in $_SESSION you fingers: ip adress and/or browser-agent. If they differs, than - it is not you. For example:
session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
//some code
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
c) use SSL for providing sensitive data.
Hope, you'll find it usefull.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.