PHP: Documentation Tools

reference/session/security.xml
ccb379494533c9b7d63a81f0221231a9e526eee9

...

@@ -8,8 +8,8 @@

 </para>

 <para>

  HTTP session management represents the core of web security.

  All possible mitigation measures SHOULD be adopted to ensure

  sessions are secured.

  All possible mitigation measures <emphasis>should</emphasis>

  be adopted to ensure sessions are secured.

  Developers should also enable/use applicable security measures.

 </para>

...

@@ -30,8 +30,8 @@

     The importance of the data carried in the session needs to be

     assessed and further protection may be deployed; this typically

     comes at a price, such as reduced convenience for the user.

     For example, to protect users from a simple social engineering

     tactic, <literal>session.use_only_cookies</literal>

     For example, to protect users from a simple social engineering tactic,

     <link linkend="ini.session.use-only-cookies">session.use_only_cookies</link>

     needs to be enabled. In that case, cookies must be enabled

     unconditionally on the client side, or sessions will not work.

    </para>

...

@@ -64,7 +64,7 @@

  </sect2>

  <sect2 xml:id="features.session.security.management.non-adaptive-session">

   <title>Nonadaptive Session Management</title>

   <title>Non-adaptive Session Management</title>

   <para>

    PHP's session manager is adaptive by default currently.

...

@@ -128,7 +128,7 @@

128

    </simpara>

129

130

    <simpara>

131

     When an access to an obsolete session occurs, developers should save all

131

     When access to an obsolete session occurs, developers should save all

132

     active session data of the user. As this information will be relevant

133

     for an ensuing investigation. The user should be forcefully logged out

134

     of all sessions, i.e. require them to reauthenticate.

...

@@ -155,7 +155,8 @@

155

156

   <note>

157

    <simpara>

158

     Users prior to PHP 7.1.0 SHOULD use CSPRNG, e.g. /dev/urandom, or

158

     Users prior to PHP 7.1.0 <emphasis>should</emphasis> use

159

     <acronym>CSPRNG</acronym>, e.g. <filename>/dev/urandom</filename>, or

159

160

     <function>random_bytes</function> and hash functions to generate

160

161

     a new session ID. <function>session_create_id</function> has

161

162

     collision detection and generates a session ID according to the

...

@@ -189,7 +190,7 @@

189

190

    Session IDs <emphasis>must</emphasis> be regenerated when user privileges

190

191

    are elevated, such as after authenticating.

191

192

    <function>session_regenerate_id</function> must be called prior to

192

    setting the authentication information to $_SESSION. 

193

    setting the authentication information to <varname>$_SESSION</varname>.

193

194

    (<function>session_regenerate_id</function> saves the current session data

194

195

    automatically in order to save timestamp/etc. to the current session.)

195

196

    Ensure only the new session contains the authenticated flag.

...

@@ -212,7 +213,7 @@

212

213

     this feature is not implemented. Old session data must be kept until GC.

213

214

     Simultaneously, developers must assure themselves obsolete session data

214

215

     is removed. However, developers must not remove active session data immediately.

215

     I.e. <literal>session_regenerate_id(true);</literal> and

216

     I.e. <code>session_regenerate_id(true);</code> and

216

217

     <function>session_destroy</function> must never be called together for an active session.

217

218

     This may sound contradictory, but this is a mandatory requirement.

218

219

    </simpara>

...

@@ -237,7 +238,7 @@

237

238

    </simpara>

238

239

    <simpara>

239

240

     Instead of deleting outdated sessions immediately, developers must set a

240

     short-term expiration time (timestamp) in $_SESSION,

241

     short-term expiration time (timestamp) in <varname>$_SESSION</varname>,

241

242

     and prohibit access to the session data by themselves.

242

243

    </simpara>

243

244

    <simpara>

...

@@ -264,9 +265,10 @@

264

265

266

   <warning>

266

267

    <simpara>

267

     Do not misunderstand the DoS risk. <literal>use_strict_mode=On</literal>

268

     is mandatory for general session ID security! All sites are advised

269

     to enable <literal>use_strict_mode</literal>.

268

     Do not misunderstand the DoS risk.

269

     <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>=On

270

     is mandatory for general session ID security! All sites are advised to enable

271

     <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>.

270

272

    </simpara>

271

273

    <simpara>

272

274

     DoS can only happen when the account is under attack. A JavaScript injection

...

@@ -303,8 +305,8 @@

303

305

   <note>

304

306

    <simpara>

305

307

     Access to an obsolete session can also happen because of an unstable network

306

     and/or concurrent access to the web site.

307

     E.g the server tried to set a new session ID via a cookie, but the Set-Cookie

308

     and/or concurrent access to the website.

309

     E.g. the server tried to set a new session ID via a cookie, but the Set-Cookie

308

310

     packet may not have reached the client due to loss of connection.

309

311

     One connection may issue a new session ID by <function>session_regenerate_id</function>,

310

312

     but another concurrent connection may not have received the new session ID yet.

...

@@ -335,7 +337,7 @@

335

337

    To mitigate the risk of a DoS attack by session-locking, minimize locks.

336

338

    Use read only sessions when session data does not need to be updated.

337

339

    Use the 'read_and_close' option with <function>session_start</function>.

338

    <literal>session_start(['read_and_close'=>1]);</literal>

340

    <code>session_start(['read_and_close'=>1]);</code>

339

341

    Close the session as soon as possible after updating $_SESSION by

340

342

    using <function>session_commit</function>.

341

343

   </para>

...

@@ -387,7 +389,7 @@

387

389

    <simpara>

388

390

     Enabling <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>

389

391

     is mandatory for this setup. Ensure it is enabled.

390

     Otherwise the active session database can be compromised.

392

     Otherwise, the active session database can be compromised.

391

393

    </simpara>

392

394

   </warning>

393

395

...

@@ -413,7 +415,7 @@

413

415

    Use a secure one time hash key as an auto-login key using

414

416

    <function>setcookie</function>. Use a secure hash stronger than SHA-2.

415

417

    E.g. SHA-256 or greater with random data from <function>random_bytes</function>

416

    or /dev/urandom.

418

    or <filename>/dev/urandom</filename>.

417

419

   </para>

418

420

419

421

   <para>

...

@@ -513,9 +515,9 @@

513

515

      Most applications should use a cookie for the session ID.

514

516

     </para>

515

517

     <para>

516

      If <literal>session.use_only_cookies</literal>=Off,

518

      If <link linkend="ini.session.use-only-cookies">session.use_only_cookies</link>=Off,

517

519

      the session module will use the session ID values set by

518

      GET/POST/URL provided the session ID cookie is uninitialized.

520

      GET or POST provided the session ID cookie is uninitialized.

519

521

     </para>

520

522

    </listitem>

521

523

...

@@ -524,7 +526,8 @@

524

526

      <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>=On

525

527

     </para>

526

528

     <para>

527

      Although, enabling <literal>session.use_strict_mode</literal>

529

      Although, enabling

530

      <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>

528

531

      is mandatory for secure sessions. It is disabled by default.

529

532

     </para>

530

533

     <para>

...

@@ -535,17 +538,19 @@

535

538

     </para>

536

539

     <para>

537

540

      Due to the cookie specification, attackers are capable to place

538

      non removable session ID cookies by locally setting a cookie database

541

      non-removable session ID cookies by locally setting a cookie database

539

542

      or JavaScript injections.

540

      <literal>session.use_strict_mode</literal> can prevent an attacker

541

      initialized session ID of being used.

543

      <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>

544

      can prevent an attacker-initialized session ID of being used.

542

545

     </para>

543

546

     <note>

544

547

      <para>

545

548

       Attackers may initialize a session ID with their device and may set

546

549

       the session ID of the victim. They must keep the session ID active to abuse.

547

550

       Attackers require additional steps to perform an attack in this scenario.

548

       Therefore, <literal>session.use_strict_mode</literal> works as a mitigation.

551

       Therefore,

552

       <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>

553

       works as a mitigation.

549

554

      </para>

550

555

     </note>

551

556

    </listitem>

...

@@ -606,7 +611,7 @@

606

611

      <link linkend="ini.session.gc-maxlifetime">session.gc_maxlifetime</link>=[choose smallest possible]

607

612

     </para>

608

613

     <para>

609

      <literal>session.gc_maxlifetime</literal>

614

      <link linkend="ini.session.gc-maxlifetime">session.gc_maxlifetime</link>

610

615

      is a setting for deleting obsolete session ID.

611

616

      Reliance on this setting is <emphasis>not</emphasis> recommended.

612

617

      Developers should manage the lifetime of sessions with a timestamp by themselves.

...

@@ -690,7 +695,8 @@

690

695

      linkend="ini.session.use-trans-sid">session.use_trans_sid</link>

691

696

      is enabled.

692

697

      It reduces the risk of session ID injection.

693

      If a website is http://example.com/, set http://example.com/ to it.

698

      If a website is <literal>http://example.com/</literal>,

699

      set <literal>http://example.com/</literal> to it.

694

700

      Note that with HTTPS browsers will not send the referrer header.

695

701

      Browsers may not send the referrer header by configuration.

696

702

      Therefore, this setting is not a reliable security measure.

...

@@ -705,10 +711,13 @@

705

711

     <para>

706

712

      Ensure HTTP content are uncached for authenticated sessions.

707

713

      Allow caching only when the content is not private.

708

      Otherwise, content may be exposed. "private" may be employed if HTTP content does not

714

      Otherwise, content may be exposed.

715

      <literal>"private"</literal> may be employed if HTTP content does not

709

716

      include security sensitive data.

710

      Note that "private" may transmit private data cached by shared clients.

711

      "public" must only be used when HTTP content does not contain any private data at all.

717

      Note that <literal>"private"</literal> may transmit private data

718

      cached by shared clients.

719

      <literal>"public"</literal> must only be used when HTTP content does

720

      not contain any private data at all.

712

721

     </para>

713

722

    </listitem>

714

723

715

724

Generated: 20 Apr 2024 07:18:44

Tools (German Manual)