ansaurus

Question

Answer 1

+2 A:

Assuming your session cookie is a GUID, there is no point encrypting it. It would just replace one pseudo-random string with another.

Marcelo Cantos 2010-04-11 00:17:15

Answer 2

+10 A:

Encrypting won't help. The session cookie is just a magic number anyway. Encrypting it just means there's a different magic number to hijack. Depending on what hijacking scenarios you have in mind, there are other possible mitigations. For example, you can limit sessions to a single IP. That poses some issues though, e.g. people switching between wireless points.

Matthew Flaschen 2010-04-11 00:17:34

Just to (hopefully) clarify for the OP - the *session* in which the cookie is transferred should still be encrypted, and the cookie flag HTTPOnly should be set to prevent its transfer over unencrypted channels. Properly encrypting the communication channel over which the session cookie is transported makes it harder for an attacker to intercept the cookie.

atk 2010-04-11 05:12:43

The question was about encrypting the coookie itself, i.e. the value stored by the browser. I agree encrypting the traffic is worthwhile for certain applications. I think you mean the Secure flag, not (just) HTTPOnly.

Matthew Flaschen 2010-04-12 13:21:47

Answer 3

+1 A:

Unfortunately encrypting the session ID is not going to increase security much, as the attacker can just use the encrypted form (which is the only thing visible to them anyways).

The only thing this might prevent is the trick where you send someone a link with ?PHPSESSID=foo in it, which will cause PHP to create that session. You can prevent that by using encryption and validation, but you should rather turn off session ID transfer in the URL completely.

Matti Virkkunen 2010-04-11 00:18:06

I believe just keeping session.use_trans_sid (http://www.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid) disabled is enough to prevent this.

Matthew Flaschen 2010-04-11 00:21:31

Yes, it is. Luckily it's disabled by default.

Matti Virkkunen 2010-04-11 00:27:49

Answer 4

+4 A:

It's more important that your session IDs are random (that is, someone can't use their session ID to guess another person's), as the real danger is somebody getting their hands on another user's session ID. As long as you keep them truly random, there's no reason to or utility in encrypting it

Michael Mrozek 2010-04-11 00:18:29

Answer 5

+1 A:

Make this script, access it from a web browser, then check your cookies.

<?php
  session_start();
?>

You will likely see something like this

Site         Cookie      Value
mysite.com   PHPSESSID   6fktilab3hldc5277r94qh2204

PHP does a fine job if generating a nice, unique id. There's not point in encrypting this.

macek 2010-04-11 00:23:57

This doesn't address the poster's question at all?

zombat 2010-04-11 00:31:34

@zombat, I was just demonstrating that PHP doesn't generate a `PHPSESSID` of `5` or something completely weak like the OP was may have been thinking.

macek 2010-04-11 00:57:36

Answer 6

+1 A:

It's always a good idea to never depend on solely on one cookie or item to validate your (logged in) user(s). As mentioned above, it's a good idea to also store the IP and check with that. A good addition would be to store the USER_AGENT.

Bare in mind that if your application is open sourced, you're just as good with a session id alone because the hacker could easily identify what it is you're validating against.

msakr 2010-04-11 00:34:05

Answer 7

A:

The session ID is relatively unguessable, so that's not really the issue.

There are a things you can do related to this to counteract attacks:

create a new session when a user signs in
limit the length of a session

There are quite a few other things as well. I always recommend studying the Rails Guide on these issues-- it offers a very accessible explanation of known problems and countermeasures-- all equally applicable to PHP code.

ndp 2010-04-11 04:29:26

ansaurus

tags:

views:

answers:

How to encrypt session id in cookie?

related questions