PHP Session Fixation / Hijacking

Question

I\'m trying to understand more about PHP Session Fixation and hijacking and how to prevent these problems. I\'ve been reading the following two articles on Chris Shiflett\'s

Answer 1

Both session attacks have the same goal: Gain access to a legitimate session of another user. But the attack vectors are different:

• In a Session Fixation attack, the attacker already has access to a valid session and tries to force the victim to use this particular session.

• In a Session Hijacking attack, the attacker tries to get the ID of a victim’s session to use his/her session.

In both attacks the session ID is the sensitive data these attack are focused on. So it’s the session ID that needs to be protected for both a read access (Session Hijacking) and a write access (Session Fixation).

The general rule of protecting sensitive data by using HTTPS applies in this case, too. Additionally, you should to do the following:

To prevent Session Fixation attacks, make sure that:

• the session ID is only accepted from a cookie (set session.use_only_cookies to true) and make it for HTTPS only if possible (set session.cookie_secure to true); you can do both with session_set_cookie_params.

To prevent Session Hijacking attacks, make sure that:

• the session ID in the cookie is only readable by your server (set session.cookie_httponly to true)
• an additional source of entropy is used (see session.entropy_file) as PHP’s random number generator has a known weakness; many security advisories suggest at least 128 bit of entropy length (see session.entropy_length)
• a strong cryptographic hash function is used (see session.hash_function); at best it is a computationally expensive hash function like Whirlpool that for example is five times slower than MD5 and thus allows only a fifth of the number of hash operations in opposite to MD5.

To prevent both session attacks, make sure that:

• to only accept sessions that your application have initiated. You can do this by fingerprinting a session on initiation with client specific information. You can use the User-Agent ID but don’t use the remote IP address or any other information that might change from between requests.
• to change the session ID using session_regenerate_id(true) after an authentication attempt (true only on success) or a change of privileges and destroy the old session. (Make sure to store any changes of $_SESSION using session_write_close before regenerating the ID if you want to preserved the session associated to the old ID; otherwise only the session with the new ID will be affected by those changes.)
• to use a proper session expiration implementation (see How do I expire a PHP session after 30 minutes?).