Products Log in Sign up

Share Your Experience: Take the 2024

Developer Survey

Ask Question

PHP - Session identifier -

Security
Asked 7 years ago Modified 7 years ago

Viewed 906 times Part of PHP Collective

I have a question about using

the global $_SESSION[]
0 variable.

As of right now for my web-

application whenever a user
logs in, a row that matches that
username and that specific
password is returned. I then
get the column user_hash
and store that user_hash in
the $_SESSION['id'] .

I use this session to recognize

which user has logged in and
perform database queries
based on this unique hash. I
read somewhere that having a
"static" identifier like this (the
static identifier being the
user_hash, as it never
changes) is unsafe, and that I
should rather have the
user_hash change dynamically.

So I implemented a system
where everytime a user logged
and/or navigated to some other
page within the web-
application, I would generate a
new hash, store it in the
database, and then store it in
the global $_SESSION['id']
variable. I managed to do this,
but now everytime someone
tries to log in from two devices,
the device with the "older"
session is invalid, because the
user_hash changed from the
new device and logs off the
user with an older session.

My question is, is there really

any point in doing this? I am
using ssl (https) for my
webserver, so session hijacking
is relatively off the table I
think? If there is a security flaw
by only having a static session
identifier, is there a better way
to make it dynamic, while on
the same time not logging the
other user off?

php security session ssl

session-variables

Share Improve this question Follow

edited May 10, 2017 at 17:21

Funk Forty Niner
74.2k 15 70 143

asked May 10, 2017 at 16:58

tomSurge
256 1 5 15

with https it's still possible to

session hijack, cross site
script or sql inject
– Raymond Nijland May 10,
2017 at 17:02

@RaymondNijland although
session hijacking would
normally require malware in
the user's browser when using
TLS and that's really not
something web sites can
easily protect against. If
you're transferring your
session ID over https, it's not
subject to man in the middle
attacks which is the common
form of session hijacking.
– Devon Bessemer May 10,
2017 at 17:04

@Devon i mean with session

hijack that the attacker is
bruteforcing session_id's to
find a valid one that a user is
using.... the defualt PHP
session handling isn't very
secure – Raymond Nijland
May 10, 2017 at 17:09

Here's a quick read about a

discussion on this with
Laravel:
github.com/laravel/framework/
issues/15252. It short, you can
perform application logic to
require a password for
important things (deleting
something, accessing account
details, etc) but https is the
best protection against
hijacking. – Devon Bessemer
May 10, 2017 at 17:11

1 please use paragraphs.

Clumps of text like that is very
hard to read. I edited.
– Funk Forty Niner May 10,
2017 at 17:21

Show 1 more comment

Sorted by:
1
Answer Highest score (default)

Two Useful Links:

http://blog.teamtreehouse.com
1
/how-to-create-bulletproof-
sessions

https://paragonie.com/blog/201
5/04/fast-track-safe-and-
secure-php-sessions

I managed to do this,
but now everytime
someone tries to log in
from two devices, the
device with the "older"
session is invalid,
because the user_hash
changed from the new
device and logs off the
user with an older
session.

While this may be nessecary

depending on your security
requirements, the first link I
posted above says this:

mark the old session

as obsolete and mark
it to expire in ten
seconds [or some time
that suits your needs].
This way any queued
up requests will still
have access to the
expired session but we
don’t have to leave it
open forever.

static function regenerateSess

{
// If this session is obso
if(isset($_SESSION['OBSOLE
return;

// Set current session to

$_SESSION['OBSOLETE'] = tr
$_SESSION['EXPIRES'] = tim

// Create new session with

session_regenerate_id(fals

// Grab current session ID

$newSession = session_id()
session_write_close();

// Set session ID to the n

session_id($newSession);
session_start();

// Now we unset the obsole

unset($_SESSION['OBSOLETE'
unset($_SESSION['EXPIRES']
}

So I implemented a
system where
everytime a user
logged and/or
navigated to some
other page within the
web-application, I
would generate a new
hash, store it in the
database, and then
store it in the global
$_SESSION['id']
variable.

On a personal note I would

suspect it is extremely in-
efficient and will cause you a
large overhead of server load
this constant reinvention. It is
just not needed.

If you really want to reinvent

the session, simply use
session_regenerate_id()
and set it to a time value (say
every 10 minutes), as outlined
in the first link, at the top of
this post.

The only value that goes over

the wire, that matters, is the
session identification all values
within the session array are
never seen by the browser or
the end user.

So; as long as your session id

is a LONG randomised value, it
hides in plain sight. From the
second link above for more
destails about how to ensure
PHP gives you much more
random and longer named
session ids.

php.ini:

session.save_handler = files
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_domain = "examp
session.cookie_httponly = 1
session.entropy_length = 32
session.entropy_file = /dev/ur
session.hash_function = sha256
session.hash_bits_per_characte

If storing sessions in a
database please do ensure
that you make your column
names for the session id long
enough, else sessions will
never connect due to
truncation of the session
name.

Some other factors:

Do ensure that your

session cookies are set as
encrypted by PHP. This
has to be manually done
regardless of the state of
your TLS connection. see
session.cookie_secure=
1 , above.

You can help minimise the

already unlikely event of
hjacking by adding in
browser or ip specific data
(such as a hash of these
respective $_SERVER
values) to compare when
carrying out tasks that
warrent double checking
the session, to compare
that the browser
type/client IP still
compares to what's in the
session record. There can
be issues with each of
these two approaches,
such as a minority of
people on mobile
connections may change
IP during login or users on
multiple devices probably
will have different
browsers on each, but find
a methodology to compare
as you need (This is also
referenced in the first link
at the top of the page).

As stated above, the

$_SESSION data is never
stored on the client
machine, so hashing
values from the Database
to store in the $_SESSION
is very probably above and
beyond your security
needs.

The (single) most

important thing is that the
session id is secured and
large enough to
comfortably accommodate
a potential hacker fishing
with fake session ids as a
kin to playing battleships
on minecraft

Share Improve this answer Follow

edited May 10, 2017 at 18:11

answered May 10, 2017 at 17:31

Martin
22.5k 12 75 139

1 Thank-you! Great answer!

– tomSurge May 10, 2017 at
17:36

@tomSurge glad to hear it.

Which parts informed you the
most? any parts things you
already knew? – Martin May
10, 2017 at 17:37

Add a comment

Your Answer

Sign up or log in
Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest
Name

Email
Required, but never shown

Post By clicking “Post Your Answer”, you

Your agree to our terms of service and
acknowledge you have read our privacy
Answer
policy.

Not the answer you're looking for? Browse

other questions tagged php security

session ssl session-variables or ask

your own question.

PHP Join the discussion

Collective

This question is in a collective: a

subcommunity defined by tags with relevant
content and experts.

The Overflow Blog

An open-source development
paradigm

Developers get by with a little help

from AI: Stack Overflow Knows code...

Featured on Meta

Testing a new version of Stack

Overflow Jobs

What deliverables would you like to

see out of a working group?

Policy: Generative AI (e.g., ChatGPT)

is banned

The [price] tag is being burninated

The return of Staging Ground to Stack

Overflow

The 2024 Developer Survey Is Live

Related

2 PHP Sessions Issue

1 PHP $_SESSION Implementation

2 PHP session variable security

11 Do I need to use session_start() every

time I access the session variable?

2 Keeping PHP Sessions Secure

2 PHP - Sessions security and reliability

Hot Network Questions

Are Hybrid Rocket Motors still in use?

The principle of legality in criminal law, and

the common law

Is it possible for a postdoc to propose to

supervisor to spin-off the lab into a startup?

Can't set time to wee hours of January 1,

1970

How can a bloodline be rare without

completely dying out?

Variable of a Space-Containing Path Causing

Issues in WinSCP Script

How can the Bitcoin blockchain be forked?

Why are my benchmark times not repeatable,

even for a CPU-bound task?

Understanding roots of unity in quadratic

fields

Do they even fit? Yes!

Do the arm movements of the woman in 73

Yards mean anything?

What is the maximum number of times a

liquid rocket engine has detonated/ exploded
during development?

How would a considerably advanced

civilization do agriculture?

I Just ordered a 26 by 1.95 tube. Just found

out my Tire is Marked 26 by 2.10 Will the 1.95
fit? the 2.10 tire?

A very difficult situation: my coauthor

"scooped" my proof and theorem in a joint
work

When there is no self, who or what will exert a

conscious effort to reach nirvana?

How many Streifenkarte stripes are needed to

get from Munich airport to the city centre?

Can you still use a plug if the third prong is

reattached to it properly

Can a rental agreement state that no guests

or parties are allowed?

Is there any etymological connection between

the two dominant meanings of "or"?

My mobile phone has <something wrong>, so

I'll get it fixed

Is simplicity the most important criterion

when choosing between theories?

Unknown'70s British children's TV series with

Aztec culture, time travel and human sacrifice

Control height of subscript in LaTeX

Question feed

STACK OVERFLOW

Questions Help

PRODUCTS

Teams Advertising Collectives Talent

COMPANY

About Press Work Here Legal Privacy Policy

Terms of Service Contact Us Cookie Settings

By clicking “Accept all cookies”, you agree
Stack
Cookie Exchange can store cookies on your
Policy
device and disclose information in
accordance
STACK EXCHANGEwithNETWORK
our Cookie Policy.

Technology Culture & recreation Life & arts

Science Professional
AcceptBusiness
all cookies
API Data

Necessary cookies only

Blog Facebook Twitter LinkedIn Instagram

Site design / logoCustomize settings

© 2024 Stack Exchange Inc; user
contributions licensed under CC BY-SA.
rev 2024.5.30.9975