1

I am trying learning about session and security, and the first step seems to strengthen the session by using session_regenerate_id() unfortunately, a good documentation has not being given as to how, and why we should be even using it in the first place. So, I checked some answers like this Using Session_regenerate_id() in SO, which actually fail to provide any proper usage and how it protects the page from session fixation/hijacking.

I am always using something like this (for simple login script, I know about mysql injection, this is example) 

if($_POST){
   $username = mysql_real_escape_string($_POST['username']);
   $password = mysql_real_escape_string($_POST['password']);
   $query = mysql_query("SELECT * 
                        FROM users
                        WHERE username = '$username'
                        AND password = '$password' ");
 $row = mysql_fetch_array($query); 

if($row){
   $_SESSION['LoggedIn'] = md5($username); 
}

Now, I check using this method to verity and give accesss to logged in users

if(isset($_SESSION['LoggedIn']) && !empty($_SESSION['LoggedIn'])){
 //giv access to secured page
}else{
 //redirect to login page
}

So, my question is how does session_regenerate_id() help me strength the session and how to use it properly

Community
  • 1
  • 1
samayo
  • 16,163
  • 12
  • 91
  • 106

2 Answers2

2

(1) Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

(2) You prevent session fixation by using session_regenerate_id() immediately after verifying the user's login information and before you show the first page that requires authentication.

Community
  • 1
  • 1
bishop
  • 37,830
  • 11
  • 104
  • 139
2

Regenerating the ID protects against session fixation, where an attacker takes someone else's session ID as their own by adjusting the session ID in their cookies.

As an example situation:

  1. I go to www.nsa.gov on Edward Snowden's computer while he's at lunch.
  2. I note his PHPSESSID cookie.
  3. I wait for him to log in to the super-secure system.
  4. I can now set my PHPSESSID value to his and have his access.

Regenerating the session on login and privilege escalation means the ID I'd grabbed is now useless.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • Ok, but do you regenerate the id on every page refresh or what? I mean, do I place is after `session_start()` ? if so, it will be generate on every HTTP request. – samayo Dec 08 '13 at 22:08
  • It's not necessary to regenerate on every refresh. You could, but it might cause too much overhead if you're storing sessions in a DB or something. Some people regenerate randomly every 10 pageviews or so. Some just regenerate on initial login. It probably depends on how secure your system needs to be. – ceejayoz Dec 08 '13 at 22:10
  • So, what is then the connection between the session I assign and the regenerate session id? ($_SESSION['loggedin'] = 'Ok'; $newId = session_regenerate_id()) now, what is the difference between `$_SESSION['loggedin']` and `$newId` won't they conflict, the new Id for the same value is getting regenerated – samayo Dec 08 '13 at 22:13
  • Regenerating the ID doesn't change the session data at all. It changes the cookie in the browser that tells PHP how to find that data, so that someone who knows your old ID can't get at it. – ceejayoz Dec 08 '13 at 22:24