Friday, May 6, 2011

PHP - Session Security, Tips to keep the session secure

As Explained in earlier post about the PHP Session - Starting Session, Modifying Session and Deleting Session,session stores important information. Most of the times Session have very important information about the user. User data, like Id, username, and many more.
Session might also have the Shopping Cart information. All these information are very valuable and sensitive. So proper methods are need to implemented to keep the session secure.

Here are some of the ways you can keep your session safe.

  1. Use SSL when authenticating users or performing sensitive operations.
  2. Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
  3. Have sessions time out
  4. Don't use register globals
  5. Store authentication details on the server. That is, don't send details such as username in the cookie.
  6. Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking. You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
  7. Lock down access to the sessions on the file system or use custom session handling
  8. For sensitive operations consider requiring logged in users to provide their authenication details again

1 comment:

  1. Great article. Useful Steps. helpful information. Thanks for sharing this information of PHP - Session Security, Tips to keep the session secure.
    http://www.dreamdestinations.in/

    ReplyDelete