I read about session security eg. Session Fixation, Hijacking & Injection but am confused about the workings of session security. The way I usually do it:
// when user logins,
$_SESSION["user"] = "someuser";
// check user login
if (isset($_SESSION["user"]) && !empty($_SESSION["user"]))
Maybe I am doing it wrong, but I don’t have Session IDs anywhere, or at least I didn’t use it. Can someone explain how should Session IDs be used & how it affects session security? Also, is my understanding of the following threats correct?
Session Fixation
- User visits link (http://site.com?session_id=123) and logs in
- Server “marks” that session id as logged in
- Hacker can now visit http://site.com?session_id=123
My understanding of Session Fixation seems very wrong to me. If its correct won’t it mean that hackers can randomly use session ids and I will likely be used by an existing user?
Session Hijacking
- Hacker somehow gets Session ID whether by Fixation or guessing etc
Session Injection
- What is this?
You’re not using session IDs explicitly, but PHP uses them automatically. The session ID is sent as a cookie to the browser, who sends it back to the server with every request to identify itself and resume the session. Without that, sessions are not possible.
A way to improve security is to regularly change the ID of a session, using
session_regenerate_id(). That way, if a hacker acquires somebody’s session ID, he has only a limited amount of time to abuse it.Another way to prevent session hijacking (a hacker using your session ID to steal your session) is to store the client IP and user agent string when the session is opened and verifying that they haven’t changed when resuming the session.