PHP authentication - Revision history

Paul at 17:23, 8 April 2023

2023-04-08T17:23:00Z

← Older revision		Revision as of 17:23, 8 April 2023
Line 29:		Line 29:

	Remember that a session ID is a shared token between the client and the server. Any client with the token can convince the server that it is authorised to access the data held alongside the token, and therefore the token should be viewed as a secret and handled as such (do not output it to the page, do not include in URLs, always send over HTTPS etc.)		Remember that a session ID is a shared token between the client and the server. Any client with the token can convince the server that it is authorised to access the data held alongside the token, and therefore the token should be viewed as a secret and handled as such (do not output it to the page, do not include in URLs, always send over HTTPS etc.)

			== Remember me ==

			To implement a 'remember me' function, you need to set a cookie manually instead of using PHP sessions. This is because sessions are intended to be short-lived and may disappear from the server (e.g. Debian deletes unused sessions automatically after a period of time).

			To prevent timing attacks, the contents of the 'remember me' cookie should have two parts: something to identify/select the record and something to verify the record. The identifier has the same purpose as the username when logging in - you use it to fetch a given row from the database such as:

			SELECT token FROM remember_me_tokens WHERE identifier = :identifier

			Assuming your identifier is unique (which it should be - generate a unique ID, do not use the user ID or any other column from the database) one row will be returned in more or less constant time (assuming your database engine has indexed the identifier, which most will for a unique column). You can then check if the token matches the verify part of the cookie. In this case the token is not using a password hashing algorithm such as bcrypt, but we need to use the hash_equals function (similar to password_hash, this is designed to neutralise timing attacks by giving an answer in constant time, regardless of whether the answer is true or false).

	== References ==		== References ==

	* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]		* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]

Paul: /* Session cookies */

2023-04-08T16:59:26Z

Session cookies

← Older revision		Revision as of 16:59, 8 April 2023
Line 28:		Line 28:
	Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.		Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.

	Remember that a session ID is a shared token between the client and the server. Any client with the token can convince the server that it is authorised to access the data held alongside the token, and therefore the token should be viewed as a secret and handled as such (do not output it to the page, do not ~~send~~ in URLs etc.)		Remember that a session ID is a shared token between the client and the server. Any client with the token can convince the server that it is authorised to access the data held alongside the token, and therefore the token should be viewed as a secret and handled as such (do not output it to the page, do not include in URLs, always send over HTTPS etc.)

	== References ==		== References ==

	* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]		* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]

Paul: /* Session cookies */

2023-04-08T16:59:10Z

Session cookies

← Older revision		Revision as of 16:59, 8 April 2023
Line 27:		Line 27:

	Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.		Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.

			Remember that a session ID is a shared token between the client and the server. Any client with the token can convince the server that it is authorised to access the data held alongside the token, and therefore the token should be viewed as a secret and handled as such (do not output it to the page, do not send in URLs etc.)

	== References ==		== References ==

	* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]		* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]

Paul: /* Session cookies */

2023-04-08T16:44:45Z

Session cookies

← Older revision		Revision as of 16:44, 8 April 2023
Line 24:		Line 24:
	* Regenerate the session ID when privileges are changed		* Regenerate the session ID when privileges are changed
	* Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org		* Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org
			* If you are on a shared server, setting session.save_path to a restricted directory (i.e. not world-readable, which it often is by default) will help prevent other users from viewing the session IDs. Note that all that is required to get the session IDs is the ability to list files in the directory, because the filenames usually contain the session ID - which may be sufficient to hijack sessions. This is redundant if sessions are saved in Redis, a database etc.

	Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.		Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.

Paul: /* Session cookies */

2023-04-08T16:41:50Z

Session cookies

← Older revision		Revision as of 16:41, 8 April 2023
Line 16:		Line 16:
	* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')		* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')
	* Session lifetime is set to zero seconds, which in most browsers will mean the cookie is deleted when the browser is closed (session.cookie_lifetime = 0 or $options['expires'] = 0)		* Session lifetime is set to zero seconds, which in most browsers will mean the cookie is deleted when the browser is closed (session.cookie_lifetime = 0 or $options['expires'] = 0)

			Note you cannot rely on the session cookie being deleted when the browser is closed, as this behaviour is not controlled by PHP and many users leave their browsers open all the time anyway. However, you can delete the session identifier from the server (e.g. using garbage collection), which will effectively render the cookie useless because there will be no matching record.

	Things you might want to consider:		Things you might want to consider:

Paul at 16:40, 8 April 2023

2023-04-08T16:40:03Z

← Older revision		Revision as of 16:40, 8 April 2023
Line 15:		Line 15:
	* Use strict mode (session.use_strict_mode = 1)		* Use strict mode (session.use_strict_mode = 1)
	* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')		* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')
			* Session lifetime is set to zero seconds, which in most browsers will mean the cookie is deleted when the browser is closed (session.cookie_lifetime = 0 or $options['expires'] = 0)

	Things you might want to consider:		Things you might want to consider:

Paul: /* Session cookies */

2023-04-08T16:35:35Z

Session cookies

← Older revision		Revision as of 16:35, 8 April 2023
Line 13:		Line 13:
	* Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)		* Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)
	* Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')		* Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')
			* Use strict mode (session.use_strict_mode = 1)
			* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')

	Things you might want to consider:		Things you might want to consider:

Paul at 16:31, 8 April 2023

2023-04-08T16:31:20Z

← Older revision		Revision as of 16:31, 8 April 2023
Line 9:		Line 9:
	Whether you use the built-in functionality or setcookie, you need to ensure that:		Whether you use the built-in functionality or setcookie, you need to ensure that:

	* Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1)		* Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1, session.use_only_cookies = 1)
	* Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)		* Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
	* Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)		* Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)

Paul at 16:30, 8 April 2023

2023-04-08T16:30:24Z

← Older revision		Revision as of 16:30, 8 April 2023
Line 21:		Line 21:

	Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.		Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.

			== References ==

			* [https://www.php.net/manual/en/session.security.ini.php Securing Session INI Settings]

Paul at 16:29, 8 April 2023

2023-04-08T16:29:05Z

← Older revision		Revision as of 16:29, 8 April 2023
Line 19:		Line 19:
	* Regenerate the session ID when privileges are changed		* Regenerate the session ID when privileges are changed
	* Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org		* Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org

			Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.