Quick Tips for Secure Session Management

February 2nd, 2014 by Laeeq | No comments

Most of modern websites are using sessions to control the experience for individual users, and to maintain state between requests (since HTTP is a stateless protocol after all). Sessions are fantastic and incredibly useful, but if managed incorrectly they can expose your website to security vulnerabilities and potentially allow a malicious attacker to gain unauthorized access to user accounts.

Actually $_SESSION is a special array used to store information across the page requests a user makes during his visit to your website or web application. We can say that Session is just like a working application. You open it, make some changes, and then you close it.

Generally there might be many users accessing the site at the same time each with their own session. PHP managed unique Session id for each user’s session which available only to himself. Session information is stored on the server rather than the user’s computer. This makes sessions more secure than traditional cookies for passing information between page requests.

In this post I’ll give you the brief description how to manage Session properly in your application and also some quick tips on managing sessions and avoiding some common security vulnerabilities.

How to Manage Session in Your Application

We need to start Session session_start() before storing information in a Session. The Session start is always done at the start of PHP code, and must be done before any text, HTML, or JavaScript is sent to the browser

<?php
// start Session
session_start();
// store session data
$_SESSION["username"] = "Webuser";

The session_start() starts the session between the user and the server, and allows values stored in $_SESSION to be accessible in other scripts.

In your application pages where you need stored session values. Again you will call session_start() to retrieve values from $_SESSION.

<?php
// This will continue the session
session_start();
// retrieve session data
echo "Username = " . $_SESSION["username"];

Really this is a very basic example of storing and retrieving data in a session. Here we have stored “Webuser” into $_SESSION array key “username” and also retrieved back from $_SESSION using key. The $_SESSION allows you to store and retrieve information across the page requests of a user’s active browsing session.

After session start and storing values into, it’s become important end session carefully. As session is only a temporary way to store data, it is very important to clean up after yourself to ensure maximum security when dealing with potentially sensitive information and also avoid a huge amount of session data stored on your server.

You can use unset() function to delete a single session value:

<?php
session_start();
// delete the username value
unset($_SESSION["username"]);

If you want to unset all of the session values, you can use the session_unset() function:

<?php
session_start();
// delete all session values
session_unset();

Above both examples only delete data stored in the session, not the session itself. You can still store other values to $_SESSION after calling them if you so choose. If you wish to completely stop using the session, for example a user logs out, you use the session_destroy() function.

<?php
session_start();
// terminate the entire session
session_destroy();

It’s highly recommended that when you are sure that you no longer need the session, you can destroy it using session_destroy(), rather than just unsetting all of its values with session_unset(). If you just unset all the value, the session itself is still active and malicious code could give those sessions harmful values.

You can also make your session more secure against Session Hijacking threat by update the current session id with a newly generated one. The session_regenerate_id() function which will replace the current session id with a new one, and keep the current session information. This should be regenerated when any important authentication action is performed, such as logging in, password change or updating user profile data.

<?php
session_start();

if ($_POST["action"] == "update_profile" || $_POST["action"] == "change_password") {
   session_regenerate_id();
}

In this post you’ve learned what a session is, and how to create, use, and destroy them in PHP. You also learn few tips to make session secure in your application. For more information on sessions, please check out PHP Manual – Session Handling

You can subscribe to PHPZAG.COM posts by Email

 

Related Topics:

  • Parse HTML/Web Pages with PHP
  • Block Multiple IP Addresses Using PHP
  • How much memory do PHP variables use?
  • Manipulating PHP arrays: push, pop, shift, unshift
  • 10 Super Useful PHP Code Snippets
  •  

     

    1. No comments yet.
    1. No trackbacks yet.