Table of Contents

About

A session identifier is a nonce that represents uniquely a session.

Instead of storing session information (such as username, login, start time, …) directly, the server creates a nonce and sends it a session identifier. 1) When the server receives back another request with the session identifier, the server can look up the state information associated (in a database, in memory, or in a file).

Usage

Storage

In an HTTP context, the sessions are called:

Length

The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet

Security Considerations

Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.

You should:

More, see the owasp Session Management Cheat Sheet

Validation

  • Referrer is known
if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
    session_destroy(); // Destroy all data in session
}
session_regenerate_id(); // Generate a new session identifier

if ($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['PREV_USERAGENT']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
session_regenerate_id(); // Generate a new session identifier
  • Destroy on logout
if (isset($_GET['LOGOUT']) {
    session_destroy();
}

Session data without Session Identifier

This section is more a tip or another way to store session data than without any session identifier.

If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie

  • in JWT format
  • or JWE (JWT public information encrypted)
1)
Session Identifier - Section-8.4 of HTTP State Management Mechanism