PHP Security Tip #7
by Cal Evans (editor)
|
0 comments | Friday, March 9, 2007
Today's Security tip comes from Kevin Schroeder and the bright young minds over at Zend Professional Services.
When using session_regenerate_id() to protect against session fixation it's usually a good idea to remove the old session ID.
For example, the script
<?php
session_start();
$_SESSION['data'] = time();
session_regenerate_id();
?>
Go to the URL once and check your /tmp directory
sess_82c6980017e100277a63983142fd454c
sess_a4bab88e6dfa6e900ade21e3fbd27a53
Go again and you'll see
sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c
And again, and you'll see
sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c
sess_dd88c05b724d80b30c90309847f2e919
Those sessions are still active. To remove them when regenerating the ID use the following code:
<?php
session_start();
$_SESSION['data'] = time();
session_regenerate_id(true);
?>If you're using your own session handler this will also cause your destroy callback function to be called.
While this will not be make or break when building a secure application it gives you a little added security against session fixation that costs you 4 characters of code.
Comments