API tools faq
paste
Advertisement
voodooKobra

Session Security for the Lazy

voodooKobra
Jul 30th, 2013
258
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.55 KB | None | 0 0
raw download clone embed print report
  1. <? /*
  2.   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  3.   |S|E|S|S|I|O|N| |S|E|C|U|R|I|T|Y|
  4.   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  5.   License: https://s.arciszewski.me/public/WTFPL.txt
  6.  
  7.   This script should make it very difficult for an attacker to predict,
  8.   control, or intercept your visitors' session IDs and log in as them.
  9.  
  10.   First, it forces the configuration to only transmit cookies over HTTPS,
  11.   mark cookies as httponly (so their web browser will not leak their
  12.   contents to Javascript to be stolen in XSS attacks), and use plenty of
  13.   entropy in the session ID. It also specifies a 512-bit hash function and
  14.   6 bits per character to reduce the length of the cookie without sacrificing
  15.   precious entropy.
  16.  
  17.   Next, it checks to see if $_SESSION['birth'] is defined. If it isn't,
  18.   wipe every value in $_SESSION then regenerate the ID and send the new
  19.   session ID back to the user.
  20.  
  21.   From that point forward, every 30 minutes, your users' session IDs will
  22.   be recycled and the old ones erased.
  23.  
  24.   REQUIREMENTS:
  25.     - HTTPS (get a free certificate for your domain name from startssl.com)
  26.   ISSUES:
  27.     - On first pageload, they will always generate two IDs. The first is
  28.       discarded because $_SESSION['birth'] is not defined. This should not
  29.       be a major performance issue.
  30. */
  31. ini_set("session.cookie_httponly", "On"); // No Javascript interception
  32. ini_set("session.cookie_secure", "On"); // HTTPS Only!
  33. ini_set("session.entropy_length", "64"); // 512 bits
  34. ini_set("session.hash_function", "sha512"); // 512-bit hash function
  35. ini_set("session.hash_bits_per_character", "6"); // 6 bits/character
  36. ini_set("session.entropy_file", "/dev/urandom");
  37. # Note: You should probably edit your php.ini if possible to enforce these values
  38. # rather than reset them at runtime. It will reduce overhead.
  39. session_start();
  40. if(empty($_SESSION['birth'])) {
  41.   if(!empty($_SESSION)) {
  42.     foreach($_SESSION as $i => $v) {
  43.       unset($_SESSION[$i]); // Goodbye
  44.     }
  45.   }
  46.   $_SESSION['birth'] = time();
  47.   session_regenerate_id(true);  // New ID
  48. } else {
  49.   if(time() - $_SESSION['birth'] > 1800) {
  50.     // 30 minutes later, new ID
  51.     session_regenerate_id(true);
  52.   }
  53. }
  54. ######################################################################
  55. # Notice: For your logout script, make sure you do the following:    #
  56. ######################################################################
  57. /*
  58.   foreach($_SESSION as $i => $v) {                                  
  59.     unset($_SESSION[$i]); // Just in case
  60.   }
  61.   session_destroy();
  62.   header("Location: /");
  63.   exit;
  64. */
  65. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!