8

I'm wondering how you could best protect sessions. I've searched a bit and find a lot of answers, but many of them are just too confusing.

How to prevent sessions from being hijacked? I've read a lot about "sessions tokens" you generate in a form, but really don't understand what their use is. How does this prevent session hijacking?

I know you don't save things like passwords in sessions, but what CAN you store in them safely? Permissions (like a session variabele which keeps track of the user level. Every time a page is opened, the session variabele is checked. It's it's not a certain number, you get an "access-denied" message displayed)? Or how do you handle this best?

Thank you!

Bv202
  • 3,924
  • 13
  • 46
  • 80
  • possible duplicate of [Prevent PHP sesison hijack, are these good ideas?](http://stackoverflow.com/questions/2917177/prevent-php-sesison-hijack-are-these-good-ideas) – Stephen Feb 15 '11 at 21:56

1 Answers1

7

You can basically store anything in the session that you want, it is just considered "best" practice not to include any security sensitive information, such as passwords, in case a layer of security is compromised.

The first step to preventing session hijacking is to not pass your session_id() via url. Users are stupid, and they will post links on their blogs with their session id, which would basically give whoever clicked that link access to their session. Therefore, it is recommended to store your session id in the users cookie.

With that said, you want to filter and escape all your user input. If you have an XSS injection, and the user is able to inject javascript, they will be able to read your cookies without a problem.

From there, you generally want to regenerate_session_id() on any major action on your website, to prevent session fixation.

It's pretty simple, and that about sums it up.

John Cartwright
  • 5,109
  • 22
  • 25
  • Hi, Thank you for the reply. I'm reading a bit more about session fixation right now. But what about the session token I often read about? Isn't this needed? – Bv202 Feb 15 '11 at 22:02
  • Your probably referring to CSRF (See http://shiflett.org/articles/cross-site-request-forgeries) which really has nothing to do with session hijacking. – John Cartwright Feb 15 '11 at 22:04
  • 1
    The correct PHP function name is session_regenerate_id() – Heitor Apr 11 '16 at 22:49