PHP: Session Security

Question

I read about session security eg. Session Fixation, Hijacking & Injection but am confused about the workings of session security. The way I usually do it:

// when user logins, 
$_SESSION["user"] = "someuser";

// check user login
if (isset($_SESSION["user"]) && !empty($_SESSION["user"]))

Maybe I am doing it wrong, but I don't have Session IDs anywhere, or at least I didn't use it. Can someone explain how should Session IDs be used & how it affects session security? Also, is my understanding of the following threats correct?

Session Fixation

• User visits link (http://site.com?session_id=123) and logs in
• Server "marks" that session id as logged in
• Hacker can now visit http://site.com?session_id=123

My understanding of Session Fixation seems very wrong to me. If its correct won't it mean that hackers can randomly use session ids and I will likely be used by an existing user?

Session Hijacking

• Hacker somehow gets Session ID whether by Fixation or guessing etc

Session Injection

• What is this?

Answer 1

You're not using session IDs explicitly, but PHP uses them automatically. The session ID is sent as a cookie to the browser, who sends it back to the server with every request to identify itself and resume the session. Without that, sessions are not possible.

A way to improve security is to regularly change the ID of a session, using session_regenerate_id(). That way, if a hacker acquires somebody's session ID, he has only a limited amount of time to abuse it.

Another way to prevent session hijacking (a hacker using your session ID to steal your session) is to store the client IP and user agent string when the session is opened and verifying that they haven't changed when resuming the session.

Answer 2

When using sessions, the session ID is the only information used to identify a session. Because of this, the session ID is a sensitive information.

Now both attacks, session hijacking and session fixation, aim for a valid session ID of a victim to gain access on that session. As for session hijacking, the attacker tries to obtain a victims session ID, and as for session fixation, the attacker tries to foist a prepared session on the victim.

To protect your application from those session attacks, there are two common safety measures:

• protect valid session IDs, and
• authenticate usage of sessions.

With PHP’s default session settings, the session ID is transmitted using a cookie (see session.use_only_cookies). You can protect this cookie by using a secure connection with SSL/TLS and by setting session.cookie_httponly to true so that the cookie can only be read when sent via HTTP and not by a client side program like JavaScript.

Additionally, you could authenticate the use of a session by associating a fingerprint of the client with the session. This could be a combination of user agent identifier and other request header fields.

Furthermore, you should change the ID of a session with every verification of authenticity or change of authorization. You can use session_regenerate_id(true) for this with an invalidation of the old session ID.