Session Identifier

About

A session identifier is a nonce that represents uniquely a session.

Instead of storing session information (such as username, login, start time, …) directly (where it might be exposed to or replayed by an attacker), the server creates a nonce and sends it a session identifier. When the server receives back another request with the session identifier, the server can look up the state information associated (generally in a database)

Usage

  • method of authentication: After successful authentication, a session identifier is created. Each time that the user is making an action, the session identifier is send back to the server and if the session id is still valid, the user is successfully authenticated.
  • Session tracking: to track user interaction by analytics session (called also visit), a virtual session id is created to track all interaction by visit.

Length

The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet

Security Considerations

Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.

You should:

Validation

  • Referrer is known
if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
    session_destroy(); // Destroy all data in session
}
session_regenerate_id(); // Generate a new session identifier
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['PREV_USERAGENT']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
session_regenerate_id(); // Generate a new session identifier
  • Destroy on logout
if (isset($_GET['LOGOUT']) {
    session_destroy();
}

Powered by ComboStrap