InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Preventing Session Fixation in PHP
PHP

Preventing Session Fixation in PHP

InfinityCoder December 20, 2016

You need to ensure that a user’s session identifier cannot be provided by a third party, such as an attacker who seeks to hijack the user’s session.

Regenerate the session identifier with session_regenerate_id() whenever there is a change in the user’s privilege, such as after a successful login:

1
2
session_regenerate_id();
$_SESSION['logged_in'] = true;

Sessions allow you to create variables that persist between requests. For sessions to work, each of the users’ requests must include a session identifier that uniquely identifies a session.
By default, PHP accepts a session identifier sent in a cookie, but if session.use_on ly_cookies is set to 1, it will accept a session identifier in the URL.

An attacker can trick a victim into following a link to your application that includes an embedded session identifier:

1
<a href="http://example.org/login.php?PHPSESSID=1234">Click Here!</a>

A user who follows this link will resume the session identified as 1234.

Therefore, the attacker now knows the user’s session identifier and can attempt to hijack the user’s session by presenting the same session identifier.
If the user never logs in or performs any action that differentiates the user from among the other users of your application, the attacker gains nothing by hijacking the session.
Therefore, by ensuring that the session identifier is regenerated whenever there is a change in privilege level, you effectively eliminate session fixation attacks.

PHP takes care of updating the session data store and propagating the new session identifier, so you must only call this one function as appropriate.
As of PHP 5.5.2, a new configuration setting, session.use_strict_mode helps prevent session hijacking.

When this is enabled, PHP accepts only already initialized session IDs. If a browser sends a new session ID, PHP rejects it and generates a new one.

 

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Returning Failure in PHP
You want to indicate failure from a function. Return false: …

Returning Failure in PHP

Timing Program Execution by Section in PHP
You have a block of code and you want to …

Timing Program Execution by Section in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap