Posted on by Aidan Owens

Generate Session IDs Securely to Prevent Session Fixation Attacks with PHP and Nginx

To ensure that session IDs are generated securely and are not vulnerable to session fixation attacks, you can follow these steps:

  1. Set the session cookie parameters:
session_set_cookie_params([
    'lifetime' => 0, // session cookie lifetime in seconds (0 = until browser is closed)
    'path' => '/', // path on the domain where the cookie will work
    'secure' => true, // send the cookie only over secure connections (HTTPS)
    'httponly' => true, // prevent JavaScript from accessing the session cookie
    'samesite' => 'Strict', // restricts the cookie to only be sent with "same-site" requests
]);

In this example, the session_set_cookie_params() function is used to set the session cookie parameters. The lifetime parameter is set to 0 to make the cookie a session cookie that will expire when the browser is closed. The path parameter is set to / to make the cookie available across the entire domain. The secure parameter is set to true to ensure that the cookie is only sent over secure connections (HTTPS). The httponly parameter is set to true to prevent JavaScript from accessing the session cookie. Finally, the samesite parameter is set to Strict to restrict the cookie to only be sent with “same-site” requests.

  1. Use a cryptographically secure random number generator to generate the session ID:
session_id(bin2hex(random_bytes(32))); // generate a session ID using random_bytes()

In this example, the session_id() function is used to generate the session ID using random_bytes() function, which generates a cryptographically secure random number of bytes.

  1. Regenerate the session ID periodically:
if (rand(1, 100) === 1) { // regenerate the session ID with a 1% chance
    session_regenerate_id(true); // regenerate the session ID and delete the old session data
}

In this example, the session_regenerate_id() function is used to regenerate the session ID with a 1% chance. The true parameter is passed to the function to delete the old session data.

By following these steps, you can ensure that session IDs are generated securely and are not vulnerable to session fixation attacks in your PHP application running on nginx web server.