I was looking for ways to protect my website from a series of Attacks launched against Sessions, that result in loss of Personal Information of the Website users.
This article is not to explain what kind of those attacks are and the possible impacts and solutions. In this article, i will try to explain how to add a little extra security to your sessions to make your sessions much secure by implementing a custom sessions management system.
You may follow these links to read more about those attacks (just a few),
Session Fixation , Hijacking and Session Vulnerability on shared hosts.
After reading a lot about the issues and the solutions, I came to a solution that relying just on php's built-in support for sessions is not enough, and you have to apply some extra security measures to secure your user data stored in particular user's session, may be by developing a custom session management system that suits your needs.
Most of the time, security needs of all of us are the same (ie. the maximum possible security at the minimum cost), so i decided to write a piece of code that can help you manage your users' sessions with added security and the ease and flexibility that you get from php and with an advantage that you can at any time edit the configuration without the need to restart the server.
Features
So, what would you be expecting from a secure Sessions Management System? Definitely Increased Security. This system provides you a little extra:
- Easy Customizable Configuration,
- Most Secure Session Management specially for Shared Hosts,
- Supports its own parameters for customization rather than relying on php's settings,
- Built-in Support Against All Known Session Attacks (nothing to do extra. just install and use),
- Relies on just cookies for transfer of session id to users (You cannot transfer session id through URLs),
- A 32 digit secure id with first 3 digits for session integrity check,
- Save users' session data anywhere you want (preferably outside the web root) with ease to change the location to save session data,
- Error logging,
- Automatic regeneration of session id on each request for extreme security,
- Garbage Collection. This script automatically deletes the old and useless session files after a reasonable time. You can configure its behaviour.
How this system works?
This Sessions System is a php based script that you can easily include into your scripts to start handling sessions. You get an option to start sessions automatically (see session.autostart) or you may opt to do it yourself. Whatever way you adopt, it fetches the session id from cookie. From Which cookie to fetch the Session ID? You can set the cookie name in the Configuration file. If the cookie doesn't yet exist, it starts a new session.
Where cookie already exists, the session id is collected from the cookie and validated for integrity. Validation includes checking whether the cookie belongs to the same user that is currently sending this cookie (this check is based on HTTP_USER_AGENT). Another check is applied to ensure that some malicious user doesn't change the usercheck part of the session id, and add its own part to get access as the original user. To secure all this process, a security key is included. You can change the security key in the configuration file. Keep the security key as long as possible (possibly between 40-100 characters).
Once the session key is validated, it checks whether a session file exists for the same id! This check is included for three reasons:
- Avoid a possibility that a malicious user guesses your security key and attempts to write a session id that passes your validation,
- Check whether an existing session has expired (and session file deleted),
- Handle the situation when you have changed the session file prefix in configuration.
If the outcome is success, session data is read from file and transferred to php's superglobal array $_SESSION. Now on you can access this _SESSION array anywhere from within your script.
Remember! There is no need to use session_start() to initialize session.
How to use?
Using this script is very simple, and if you are just a little familiour with OOP, you will find it very easy to edit. Here is a tutorial:
require('./directory/outside/web-root/class.sessions.php');
$session = new session();
//Now you are free to use $_SESSION;
if(isset($_SESSION['key']))
echo $_SESSION['key'].' It already Exists';
else
$_SESSION['key'] = 'Hello World!';
//force save the $_SESSION data. Use code below
$session->close();
//use
$session->destroy();
//to delete the current session data from the session file.
//Remember, if you use $session->close() after you have destroyed
//the session data, it will restore the session data because the
//destroy() doesn't unset the $_SESSION superglobal.
//it just deletes the data inside the session file.
//this function is useful when you are logging the user out, or when
//you have already closed the session file using $session->close()
//use
$session->clear();
//to unset the $_SESSION variable (but the data still exists in session file.)
//you need to use $session->close() after you have used the clear()
//function to save the changes to session (ie. remove the data from file too).
//use
$session->clear();
$session->destroy();
//to remove all traces of user's activity.
$session->errors;
//returns array of errors occured during the process. It helps
//you fixing the config problem most of the time.
//use
$session->gc($id);
//where $id may be the id of any session (this or other person's)
//it helps you force deleting the session file of a particular user
//use $session->gc();
//to delete all old unused session files. What is old? you can define it.
//Normally there is no need to use gc() to delete old files.
//This class automatically deletes old files after some time.
//Behaviour of this function is php like.
//and finally use
$session->generate_id();
//to generate a random id and return the id value.
//normally you do not need to call this function,
//session id is generated automatically.
//but this function can be called to generate a 32 digit random id.
//and use
$session->regenerate_id();
//to regenerate session id, replace existing id with this, send cookie of
//new id, rename session file with new id etc.
//CALL THIS FUNCTION BEFORE ANY ACTUAL OUTPUT STARTS
//this class automatically regenerates id on each request,
//so normally you do not need to call this function.
Requirements:
PHP's latest version that you can have.
Read Write permission and Access to file system.
Directory to save the sessions must already exist.
Security Tips:
- Keep the session directory and this class outside the web root.
- Do not forget to change the security code. Your system's reliability and security depends upon the security code.
This class is E_ALL AND E_NOTICE Compliant.
If you find bugs, please report here.
