Monday, 25 December 2017

PHP Session Security





What are some guidelines for maintaining responsible session
security with PHP? There's information all over the web and it's about time it all
landed in one place!


itemprop="text">
class="normal">Answer



There are
a couple of things to do in order to keep your session
secure:





  1. Use SSL
    when authenticating users or performing sensitive
    operations.

  2. Regenerate the session id whenever the
    security level changes (such as logging in). You can even regenerate the session id
    every request if you wish.

  3. Have sessions time
    out

  4. Don't use register
    globals

  5. Store authentication details on the server. That
    is, don't send details such as username in the
    cookie.

  6. Check the
    $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to
    session hijacking. You can also check the IP address. But this causes problems for users
    that have changing IP address due to load balancing on multiple internet connections etc
    (which is the case in our environment here).

  7. Lock down
    access to the sessions on the file system or use custom session
    handling

  8. For sensitive operations consider requiring
    logged in users to provide their authenication details
    again



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...