Preventing Session Hijacking in PHP

You want make sure an attacker can’t access another user’s session. The solution is to allow passing of session IDs via cookies only, and generate an additional session token that is passed via URLs. Only requests that contain a valid session ID and a valid session token may access the session:

If you’re using a PHP version earlier than 4.3.0, output_add_rewrite_var( ) is not available.

Adding a session token to links

<br /> <?php<br /> ini_set(’session.use_only_cookies’, true);<br /> session_start();</p> <p>$salt = ‘YourSpecialValueHere’;<br /> $tokenstr = (str) date(’W') . $salt;<br /> $token = md5($tokenstr);</p> <p>if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {<br /> // prompt for login<br /> exit;<br /> }</p> <p>$_SESSION['token'] = $token;</p> <p>ob_start(’inject_session_token’);</p> <p>function inject_session_token($buffer)<br /> {<br /> $hyperlink_pattern = “/<a[^>]+href=\”([^\"]+)/i”;<br /> preg_match_all($hyperlink_pattern, $buffer, $matches);</p> <p>foreach ($matches[1] as $link) {<br /> if (strpos($link, ‘?’) === false) {<br /> $newlink = $link . ‘?token=’ . $_SESSION['token'];<br /> } else {<br /> $newlink = $link .= ‘&token=’ . $_SESSION['token'];<br /> }<br /> $buffer = str_replace($link, $newlink, $buffer);<br /> }</p> <p>return $buffer;<br /> }</p> <p>

The regular expression for matching hyperlinks in the inject_session_token( ) function isn’t bulletproof; it will not catch hyperlinks with href attributes quoted with single quotes.

Discussion
This example creates an auto-shifting token by joining the current week number together with a salt term of your choice. With this technique, tokens will be valid for a reasonable period of time without being fixed.

We then check for the token in the request, and if it’s not found, we prompt for a new login.

If it is found, it needs to be added to generated links. output_add_rewrite_var( ) does this easily. Without output_add_rewrite_var( ), we continue generating the page and declare an output buffer callback function that will make sure that any hyperlinks on the page are modified to contain the current token before the page is displayed.

Note that the inject_session_token( ) function in the example does not address imagemaps, form submissions, or Ajax calls; make sure that you adjust any such functionality on a page to include the session token that’s been generated and stored in the session.