开发者

is my session id generated before login?

问答 作者:

I read about session vulnerability in the php manual and came across this issue: I need my server/code to generate the session-id AFTER successfully authenticating the user.

Now, I am not sure when php sets the session Id. My php application is MVC-like, and everything goes through index.php, and at the top of index.php I have session.开发者_StackOverflowstart() since every single page (after login) uses sessions.

Is this a vulnerability risk? Or, should I put it like this: Does this mean that upon first arrival to my site, even before login, does the server set a session id for that user? Does session.start() set a user ID, or is a session-id not generated until I set my first session variable, ie. until I do $_SESSION['foo']='bar'?

If a session is actually generated already upon session.start(), I guess a good idea would be to regenerate the session-id after authenticating, does that in that case solve the issue?

The session ID is generated when you run session_start().

Best practice is to refresh the session ID upon login using session_regenerate_id().

PHP generates a new session ID when session_start is called and no valid session ID was passed. So in your case the user will already get a session ID when visiting the login form page.

This is not a security vulnerability in general but it can be if your application is vulnerable to session fixation. To avoid that there are some counter-measures. The most important with regard to authentication is to generate a new session ID and invalidate the old one. You can do that by calling session_regenerate_id before storing the user information in the session:

if ($userIsAuthentic) {
    session_regenerate_id(true);
    $_SESSION['user-id'] = 12345;
    /* … */
}

Or, should I put it like this: Does this mean that upon first arrival to my site, even before login, does the server set a session id for that user?

Yes, it does.

I guess a good idea would be to regenerate the session-id after authenticating, does that in that case solve the issue?

You are correct.

Does session.start() set a user ID, or is a session-id not generated until I set my first session variable...

In any case, regenerating the session ID on user login costs you essentially nothing, and even if you don't set $_SESSION variables for non-logged-in users, you are covered if for some reason you decide to do so in the future.

继续阅读:phpsecuritysessionsessionid

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9