Session Management BasicsSession SecurityThe session module can not guarantee that the information stored in a session is only viewed by the user who created the session. Additional measures are needed to protect the confidentiality of the session, depending on the value associated with it. The importance of the data carried in the session needs to be assessed and further protection may be deployed; this typically comes at a price, such as reduced convenience for the user. For example, to protect users from a simple social engineering tactic, session.use_only_cookies needs to be enabled. In that case, cookies must be enabled unconditionally on the client side, or sessions will not work. There are several ways to leak an existing session ID to third parties. E.g. JavaScript injections, session IDs in URLs, packet sniffing, physical access to the device, etc. A leaked session ID enables the third party to access all resources associated with a specific ID. First, URLs carrying session IDs. If there are links to an external site or resource, the URL including the session ID might be stored in the external site's referrer logs. Second, a more active attacker might listen to network traffic. If it is unencrypted, session IDs will flow in plain text over the network. The solution is to implement SSL/TLS on the server and make it mandatory for users. HSTS should be used for improved security.
Non-adaptive Session ManagementPHP's session manager is adaptive by default currently. An adaptive session manager bears additional risks.
When session.use_strict_mode is enabled,
and the session save handler supports it,
an uninitialized session ID is rejected and a new one is created.
This prevents an attack that forces users to use a known session ID.
An attacker may paste links or send emails that contains the session ID.
E.g. Warning
User defined save handlers can also support strict session mode by implementing session ID validation. All user defined save handlers should implement session ID validation. The session ID cookie may be set with the domain, path, httponly, secure and, as of PHP 7.3, SameSite attributes. There is precedence defined by browsers. By using the precedence, an attacker can set session ID that could be used permanently. Use of session.use_only_cookies will not solve this issue. session.use_strict_mode mitigates this risk. With session.use_strict_mode=On, the uninitialized session ID will be refused.
Warning
Access to an obsolete session does not necessarily suggest an attack. An unstable network and/or immediate deletion of the active session will result in legitimate users using obsolete sessions. As of PHP 7.1.0, session_create_id has been added. This function may be operated to access all active sessions of a user efficiently by prefixing the session IDs with the user ID. Enabling session.use_strict_mode is vital with this setup. Otherwise, malicious users can set malicious session ID for other users.
Session ID Regenerationsession.use_strict_mode is a good mitigation, however not sufficient. Developers must equally use session_regenerate_id for session security. Session ID regeneration reduces the risk of stolen session IDs, thus session_regenerate_id must be called periodically. E.g. Regenerate the session ID every 15 minutes for security sensitive content. Even in the case that a session ID is stolen, both the legitimate user's and the attacker's session will expire. In other words access by the user or the attacker will generate an obsolete session access error. Session IDs must be regenerated when user privileges are elevated, such as after authenticating. session_regenerate_id must be called prior to setting the authentication information to $_SESSION. (session_regenerate_id saves the current session data automatically in order to save timestamp/etc. to the current session.) Ensure only the new session contains the authenticated flag. Developers must not rely on session ID expiration by session.gc_maxlifetime. Attackers may access a victim's session ID periodically to prevent its expiration and keep exploiting it, including an authenticated session. Instead, developers must implement timestamp based session data management. Warning
Although the session manager can manage timestamps transparently,
this feature is not implemented. Old session data must be kept until GC.
Simultaneously, developers must assure themselves obsolete session data
is removed. However, developers must not remove active session data immediately.
I.e. session_regenerate_id does not delete outdated sessions by default. Obsolete authenticated sessions may be present for use. Developers must prevent outdated sessions to be consumed by anyone. They must prohibit access to obsolete session data by themselves using timestamps. Warning
The sudden removal of an active session produces undesirable side effects. Sessions can vanish when there are concurrent connections to the web application and/or the network is unstable. Potential malicious access is undetectable with the sudden removal of active sessions. Instead of deleting outdated sessions immediately, developers must set a short-term expiration time (timestamp) in $_SESSION, and prohibit access to the session data by themselves. Developers must not prohibit access to old session data immediately after session_regenerate_id. It must be prohibited at a later stage. E.g. a few seconds later for stable networks, like a wired network, and a few minutes later for unstable networks such as cell phones or Wi-Fi. If a user accesses an obsolete session (expired session), access to it should be denied. It is also recommended to remove the authenticated status from all of the user's sessions to as it is likely to represent an attack. Proper use of session.use_only_cookies and session_regenerate_id can cause personal DoS with undeletable cookies set by attackers. In this case, developers may invite users to remove cookies and advise them they may be affected by a security issue. Attackers may set malicious cookies via a vulnerable web application, an exposed/vicious browser plugin, a physically compromised device, etc. Warning
Do not misunderstand the DoS risk. session.use_strict_mode=On is mandatory for general session ID security! All sites are advised to enable session.use_strict_mode. DoS can only happen when the account is under attack. A JavaScript injection vulnerability in an application represents the most common cause. Session Data DeletionObsolete session data must be inaccessible and deleted. The current session module does not handle this well. Obsolete session data should be removed as soon as possible. However, active sessions must not be removed instantly. To satisfy those requirements, developers must implement timestamp based session data management by themselves. Set and manage expiration timestamp in $_SESSION. Prohibit access to outdated session data. When access to obsolete session data is detected, it is advised to remove all authenticated status from the user's sessions and force them to re-authenticate. Access to obsolete session data can represent an attack. To achieve this, developers must keep track of all active sessions of every user.
In summary, session data must not be destroyed with session_regenerate_id nor session_destroy, but timestamps must be used to control access to session data. Let session_gc remove obsolete data from the session data storage. Session and LockingSession data is locked to avoid race conditions by default. Locking is mandatory to keep session data consistent across requests.
However, session-locking can be abused by attackers to perform DoS attacks.
To mitigate the risk of a DoS attack by session-locking, minimize locks.
Use read only sessions when session data does not need to be updated.
Use the 'read_and_close' option with session_start.
The current session module does not detect any modification of $_SESSION when the session is inactive. It is the developer's responsibility not to modify $_SESSION when the session is inactive. Active SessionsDevelopers should keep track of all active sessions for every user. And notify them of how many active sessions, from which IP (and area), how long it has been active, etc. PHP does not keep track of these. Developers are supposed to do so. Various ways to implement this exist. One possible implementation is setting up a database that keeps track of the required data and stores any relevant information. Since session data is GCed, developers must take care of the GCed data to maintain the active session database consistency. One of the simplest implementations is "User ID prefixed session ID" and store the required information in $_SESSION. Many databases posses good performance for selecting string prefix. Developers MAY use session_regenerate_id and session_create_id for this. Warning
Never employ confidential data as a prefix. If the user ID is confidential, consider using hash_hmac. Warning
Enabling session.use_strict_mode is mandatory for this setup. Ensure it is enabled. Otherwise, the active session database can be compromised. Timestamp based session management is mandatory to detect access to obsolete sessions. When access to an obsolete session is detected, authentication flags should be removed from all active sessions of the user. This prevents attackers to keep exploiting stolen sessions. Session and Auto-loginDevelopers must not use long life session IDs for auto-login because it increases the risk of stolen sessions. An auto-login feature should be implemented by the developer. Use a secure one time hash key as an auto-login key using setcookie. Use a secure hash stronger than SHA-2. E.g. SHA-256 or greater with random data from random_bytes or /dev/urandom. If the user is unauthenticated, check whether the one-time auto-login key is valid or not. In the case it is valid, authenticate the user and set a new secure one-time hash key. An auto-login key must only be used once, i.e. never reuse an auto-login key, always generate a new one. An auto-login key is a long life authentication key, it should be protected as much as possible. Use path/httponly/secure/SameSite cookie attributes to secure it. I.e. never transmit the auto-login key unless required. Developer must implement the features that disables auto-login and removes unneeded auto-login key cookie. CSRF (Cross-Site Request Forgeries) attacksSessions and authentication do not protect against CSRF attacks. Developers must implement CSRF protection by themselves. output_add_rewrite_var can be used for CSRF protection. Refer to the manual page for more details.
Most web application frameworks support CSRF protection. Refer to the web application framework manual for more details. As of PHP 7.3 the SameSite attribute for the session cookie can be set. This is an additional measure which can mitigate CSRF vulnerabilities. |