Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security options (Update documentation to include details on session security) #18

Open
richbrat opened this issue Mar 31, 2015 · 3 comments

Comments

@richbrat
Copy link

With the old solution, using SessionCookie, I was able to set some encryption- and secret key-options. Are there any security related options I should set using Zend sessions?

@jeremykendall
Copy link
Owner

Yes, there are, although at first glance they're not as explicit as the SessionCookie settings.

First I'd review your php.ini cookie settings using an automated tool. I prefer psecio/iniscan.

composer install psecio/iniscan
# ... wait for installation to complete ...
./vendor/bin/iniscan scan --path /path/to/php.ini

Here's an example of the output of the cookie section of the iniscan:

./vendor/bin/iniscan scan --path /etc/php5/fpm/php.ini
== Executing INI Scan [03.31.2015 14:05:50] ==

Results for /etc/php5/fpm/php.ini:
============
Status | Severity | PHP Version | Key                      | Description
----------------------------------------------------------------------
PASS   | ERROR    |             | session.use_cookies      | Accepts cookies to manage sessions
PASS   | ERROR    | 4.3.0       | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link
PASS   | WARNING  |             | session.cookie_domain    | It is recommended that you set the default domain for cookies.
PASS   | ERROR    | 5.2.0       | session.cookie_httponly  | Setting session cookies to 'http only' makes them only readable by the browser
PASS   | ERROR    | 4.3.0       | session.bug_compat_42    | An undocumented feature/bug that allows initialize of a session in the global scope even if register_globals is disabled for PHP up to 5.3.22
PASS   | WARNING  | 4.3.0       | session.bug_compat_warn  | Disable warnings for session.bug_compat_42
PASS   | WARNING  |             | session.hash_function    | Check against a list of recommended session hashing functions
PASS   | WARNING  |             | session.save_path        | Session save path should be set and writeable by only the web user
PASS   | ERROR    | 4.0.3       | session.use_trans_sid    | If used 'use_trans_sid' setting puts the session ID on the URL, making it easier to hijack
PASS   | ERROR    | 4.0.4       | session.cookie_secure    | Cookie secure specifies whether cookies should only be sent over secure connections.
PASS   | WARNING  |             | session.entropy_file     | A file should be provided to help provide session entropy
PASS   | WARNING  | 5.5.2       | session.use_strict_mode  | Strict mode prevents uninitialized session IDs in the built-in session handling.

The output will recommend some changes to your cookie settings which you can either implement directly in your php.ini or add to the SessionConfig as show below:

$sessionConfig = new SessionConfig();
$sessionConfig->setOptions(array(
    'cookie_secure' => true,
    'remember_me_seconds' => 60 * 60 * 24 * 7,
));

(RE: session.hash_function: You can verify the hashing algorithms available to your PHP installation by executing the following from the command line: php -r "var_dump(hash_algos());")

The PHP documentation on Sessions and security is excellent. I highly recommend reviewing it to better understand your options when it comes to securing sessions.

The Zend\Session documentation is not as clear as it could be, but it does show all of the settings available to SessionConfig. Any settings you add to SessionConfig are setting you don't have to update in php.ini, which is nice because you can change your settings programmatically based on your application environment.

I'll add examples to the Slim Auth sample implementation as soon as I get the chance.

@jeremykendall
Copy link
Owner

Thanks for the excellent question, by the way. I'll make sure to update the documentation to include details on Zend\Session and session security.

@jeremykendall jeremykendall changed the title Security options Security options (Update documentation to include details on session security) Mar 31, 2015
@richbrat
Copy link
Author

Thank YOU Jeremy, I'll look into this asap!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants