cookies and session

COOKIES & SESSIONAdvanced

YOU HAVE ZERO PRIVACY ANYWAY

Scott McNealy (Sun Microsystems)

What is Cookie?

A cookie is a text-only string created by the website you navigate and gets entered into the memory of the browser. 

If the lifetime of this value is set to be longer than the time you spend at that site, then this string is saved to file for future reference.

Historical Brief

Lou Montulli, protocols manager in Netscape's client product division, wrote the cookies specification for Navigator 1.0.

Netscape Navigator 1.0 the first browser to use the technology.

Cookie Anatomy

A Cookie can have 6 parameters passed to it Name (Mandatory) Value (Mandatory) Expiration Date (If not set the default is

end of session). Path Domain Secure Connected Required

Cookie Anatomy – Expiration Date

The expires parameter lets you determine the lifetime of the cookie. 

If not set explicitly, then it defaults to end-of-session.

The length of a session is the length of time that the browser is open for (even if the user is no longer at that site). 

Cookie Anatomy – Path

It sets the URL path the cookie is valid within.

Pages outside of that path cannot read or use the cookie. 

Cookie Anatomy – Domain

If a site uses multiple servers within a domain then it is important to make the cookie accessible to pages on any of these servers.

 Cookies can be assigned to individual machines, or to an entire Internet domain.

The only restrictions on this value is that it must contain at least two dots (.myserver.com, not myserver.com) for the normal top-level domains, or three dots for the "extended" domains (.myserver.ny.us, not myserver.ny.us)

 The server issuing the cookie must be a member of the domain that it tries to set in the cookie. That is, a server called www.myserver.com cannot set a cookie for the domain www.yourserver.com. The security implications should be obvious

If Domain is not set explicitly, then it defaults to the full domain of the document creating the cookie. 

Cookie Anatomy – Secure

False by default; only used in HTTPS websites.

Create Cookie

In PHP use the function: setcookie Setcookie takes the 6 parameters

Name Value Expire Date Path Domain Secure

Retrieving a Cookie Value  Cookies can be read on the browser side or the server

side. Again, the determining factor is the language used. 

The main limit on retrieving a cookie is that you can only retrieve cookies that are valid for the document your script resides in. That is, a script on www.myserver.com cannot read cookies from www.yourserver.com.

Also for subdirectories within your site. A cookie valid for /dirOne cannot be read by a script in /dirTwo. This is mainly governed on the browser side, as browsers know the URL that they are accessing, and only transmit cookies for that server across the connection.

Retrieving Cookie (PHP)

Use the variable $_COOKIE[‘name’]

Clearing Cookie Value

Set the cookie's value to null. Set the cookie's expiration date to

some time in the past.

What is a session?

You are working with an application. You open it, make some changes, and then you close it. That is a session.

How session works?

Each user accessing the website has a unique ID assigned to him managed by PHP.

Session Stores the information on the server rather than the client side like in Cookies.

What is $_SESSION

It is a special array used to store information across the page requests a user makes during his visit to your website or web application.

Starting Session

session_start() starts the session between the user and the server, and allows values stored in $_SESSION to be accessible in other scripts later on.

Killing Session Variables

To end single session variable use unset(‘session variable’)

To unset all of the session’s values, you can use the session_unset() function.

It is very important to clean up after yourself to ensure maximum security when dealing with potentially sensitive information.

To avoid having a huge amount of stale session data sitting on the server.

Terminate Session

session_destroy() is responsible for terminating the session so you can no more access/store session variables in the array $_SESSION.

Session Security Tips

Setting Timeout Regenerate Session ID Destroy Session Use Permanent storage

Session Timeout

Timing-out sessions is a very important action if you are dealing with users logged in to your website or application. If a user logs in to your site in an Internet café and then leaves the computer and café without logging out, how do you stop the next user on that computer from still having access to the previous user’s session?

Regenerate Session ID

The session_regenerate_id() function creates a new unique-ID for to represent the current user’s session.

This should be regenerated time any important authentication action is performed, such as logging in or updating user profile data.

Giving the sessions a new ID after such actions make your application more secure by reducing the risk of a specific attack known as “Session Hijacking.”

Destroy Session

This stops attackers from hijack the stale session, again increasing the session-related security of your web site.

Use Permanent Storage

Use a database to store data at the earliest moment you know the data will be persistent; don’t let it stay as part of the session for too long as this opens it up to possible attack. Really think about whether the data belongs should be stored in $_SESSION because session data is meant to be transient.

Session Hacking

Session Fixation Prediction Capture Fixation -- Exclude

Session Hijacking

Session Fixation (Prediction) Rarely used. Prediction refers to guessing a valid

session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation.

Session Fixation (Capture) Most Common. Because session identifiers are typically

propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer.

While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables.

Thus, for those users who enable cookies, you can provide them with a more secure mechanism by using a cookie to propagate the session identifier.

Sesson Hijacking

Most common session attack Session hijacking refers to all attacks

that attempt to gain access to another user's session.

If your session mechanism only consists of session_start(), you are vulnerable, although the exploit isn't as simple.

Session Hijacking

Rather than focusing on keeping the session identifier from being captured, focus on how to make such a capture less problematic.

The goal is to complicate impersonation, since every complication increases security.

With the most simplistic session mechanism, a valid session identifier is all that is needed to successfully hijack a session. In order to improve this, we need to see if there is anything extra in an HTTP request that we can use for extra identification