OWASP A3 – Broken Authentication and Session Management Defenses with PHP Part 2
We covered OWASP ASVS 3.1, 3.2, and 3.3 in our previous post. I will continue where we left off, beginning this week’s post with ASVS 3.4.
ASVS 3.4 Requirement:
Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). I am not sure that this is a security requirement for most applications, but the intent here is to make a user re-authenticate after a certain period of time regardless of activity.
ASVS 3.4 Solution:
Review my first post for a similar concept. You would need to create a session variable that is initialized at each login with something like this:
$_SESSION['Login_Time'] = time();
Then, you need to compare the current time with the initial login time. This could be validated in a header file.
The steps in PHP are:
- Check to see if the session variable used to track activity has been set. If not, destroy any session data and redirect to the login page.
- Check to see if the current time minus the time recorded for the initial login is greater than 86,400 seconds (24 hours). If the timer has been exceeded, then destroy any session data and redirect to the login page.
The following code can be placed in a header file that is included by every page:
// Check to see if the session variable used to track the login time has been set, // if not then destroy all session data and redirect to the login page. If it has // been set, compare current time minus the last activity time, and if it is // greater than 86,400 seconds (24 hours), then destroy session data and // redirect to the login page. if (!isset($_SESSION['Login_Time']) || ((time() - $_SESSION['Login_Time']) > 86400)) { session_destroy(); $_SESSION = array(); if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } header('Location: login.php'); die(); }
This could be AJAX-ified similar to what we did last week.
ASVS 3.5 Requirement:
Verify that all pages that require authentication to access them have logout links.
ASVS 3.5 Solution:
Another easy fix requiring little code; add a link to the logout page on each page for which the user must be authenticated. This enables users to easily logout of their session and thus destroys associated session data.
ASVS 3.6 Requirement:
Verify that the session id is never disclosed other than in cookie headers; particularly in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.
ASVS 3.6 Solution:
This requirement reduces the likeliness that an attacker can gain access to session ID’s. Part of this requirement can be satisfied with the right PHP configuration. Configure your php.ini file with the following settings:
// PHP will use cookies for maintaining session state session.use_cookies = 1 // PHP will only use cookies to store session ID's on the client side session.use_only_cookies = 1 // Disable PHP's support for URL based sessions session.use_trans_sid = 0
If you must include a session ID in form data for some reason, use the HTTP POST method, so that it will not be logged on the server side (GET requests are logged).
ASVS 3.7 & 3.8 Requirements:
Verify that the session id is changed on login.
Verify that the session id is changed on reauthentication.
ASVS 3.7 & 3.8 Solution:
This requirement helps prevent session fixation attacks. If an attacker were to trick a user into visiting the application and the session ID is part of the URL, then changing the session ID upon login will prevent a successful session fixation attack. Add the following snippet of source after the code on your login page in which a user’s authentication is validated:
// Generate a new session ID and assign it to the current session session_regenerate_id(true);
ASVS 3.9 Requirement:
Verify that the session id is changed or cleared on logout.
ASVS 3.9 Solution:
Add the code above for ASVS 3.7 and 3.8 to the logout page:
session_regenerate_id(true);
This code could come before the redirect to the login page found in our previous post for ASVS 3.2.
Next week we should finish up ASVS section 3.x. We will then cover the authentication requirements in ASVS section 2.x to wrap up our discussions on OWASP A3 – Broken Authentication and Session Management.
Search Posts
Security Categories
- Android
- Apache Security
- Burp
- CodeWatch
- Deadrop
- Java
- Linux
- Metasploit
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- Phishing
- PHP Security
- PowerShell
- Python
- Social Engineering
- Unix
- Windows
Top Tags
ASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows