About
A session identifier is a nonce that represents uniquely a session.
Instead of storing session information (such as username, login, start time, …) directly, the server creates a nonce and sends it a session identifier. 1) When the server receives back another request with the session identifier, the server can look up the state information associated (in a database, in memory, or in a file).
Usage
- method of authentication: After successful authentication. The session is upgraded with user information.
- Session tracking: to track user interaction by analytics session (called also visit), a virtual session id is created to track all interaction by visit.
Storage
In an HTTP context, the sessions are called:
- or cookieless session. The session identifier is stored on the path or a query parameter
Length
The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet
Security Considerations
Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.
You should:
- not accepts any session identifier,
- not accepts session identifiers from query strings (only from cookie)
- not allow cookies to transit without https. See secure cookie property
- not allow cookie session to be read by javascript. See httpOnly
- put security validations in place.
More, see the owasp Session Management Cheat Sheet
Validation
- Referrer is known
if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
session_destroy(); // Destroy all data in session
}
session_regenerate_id(); // Generate a new session identifier
- Same client (Web - User Agent (UA)
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
session_destroy(); // Destroy all data in session
$_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['PREV_USERAGENT']) {
session_destroy(); // Destroy all data in session
$_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
session_regenerate_id(); // Generate a new session identifier
- Destroy on logout
if (isset($_GET['LOGOUT']) {
session_destroy();
}
Session data without Session Identifier
This section is more a tip or another way to store session data than without any session identifier.
If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie
- in JWT format
- or JWE (JWT public information encrypted)