PHP Session Security

🔥 What happens if attacker gets session ID? 🤔

Oh boy, it’s a real doozy. Attackers have managed to copy your cookie value, and they’re using it to hijack your session! 🤔

Let’s take a step back and understand how session hijacking works. Imagine you’re browsing the internet, and you’ve got a session cookie with the value: PHPSESSID=3cb3b25e0a6b8f9c0d7. Now, imagine that the attacker, with his own browser, has access to this cookie value.

When the attacker sends a request, their browser is able to load the victim’s session file. 🤔

✅ Attacker is logged in as you → they can do anything you can do. 🤔

But wait, what’s the issue? You might be thinking, “But session security is critical! Why is this happening?” 🤔

Session hijacking is a problem because it allows the attacker to access your personal information, without your knowledge or consent. They can use this information to perform actions on your behalf, like accessing your browsing history, making changes to your preferences, or stealing sensitive

🔴 What Happens If Attacker Gets Session ID?

Attacker copies your cookie value:

PHPSESSID=3cb3b25e0a6b8f9c0d7

• He sets this cookie in his own browser (via DevTools, extensions, or script).

• On the next request, PHP sees that session ID and loads the victim’s session file.

• ✅ Attacker is logged in as you → they can do anything you can do.

This is why session security is critical.

🛡 How to Defend Against Session Hijacking

1. Use HTTPS (TLS)

• If you use plain HTTP, session cookies can be sniffed with tools like Wireshark.

• Always enforce HTTPS and set:

ini_set('session.cookie_secure', 1);

→ ensures the cookie is only sent over HTTPS.

1. HttpOnly Flag

• Prevents JavaScript (like in XSS attacks) from reading the cookie.

ini_set('session.cookie_httponly', 1);

1. Regenerate Session ID

• Regenerate the session ID on login or after privilege escalation:

session_regenerate_id(true);

→ Makes old IDs useless, preventing fixation.

1. Bind Session to Client Properties

• Check IP address, user-agent, etc.
  Example:

session_start();

$fingerprint = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);

if (!isset($_SESSION['fingerprint'])) {
    $_SESSION['fingerprint'] = $fingerprint;
} elseif ($_SESSION['fingerprint'] !== $fingerprint) {
    session_destroy();
    die("Session hijack attempt detected!");
}

⚠️ Note: Binding to IP may break sessions if users are on mobile networks (IP changes frequently).

1. Short Session Lifetime
   • Reduce how long a session is valid:

ini_set('session.gc_maxlifetime', 1800); // 30 minutes

• implement idle timeout:

if (!isset($_SESSION['last_activity'])) {
    $_SESSION['last_activity'] = time();
} elseif (time() - $_SESSION['last_activity'] > 900) { // 15 mins
    session_destroy();
    die("Session expired.");
}
$_SESSION['last_activity'] = time();

1. SameSite Cookies

• Protect against CSRF (Cross-Site Request Forgery).

• In php.ini or code:

ini_set('session.cookie_samesite', 'Strict');

1. Store Sensitive Data Outside Sessions

• Don’t keep passwords, tokens, or critical secrets in $_SESSION.

• Only store user IDs, roles, etc. → if hijacked, attacker still has limited info.