sanitize and validation of sessions and cookies

Report · Aug 27, 2012

From a security point of view I am sanitizing and validating input.

On a user registration I create a session using the posted username which is sanitized and validated first.

On any further visit when the user logins in their username is validated from the database and again a session is created and used throughout their pages.

I only ever set the SESSION for the user but in my code to end the session (as per information I have seen and read) I end the session with :

unset($_SESSION['username']);

$_SESSION = array();

// invalidate the session cookie

if (isset($_COOKIE['username'])) {

setcookie('username', '', time()-86400, '/');

}

session_destroy();

Now, I never actually set the cookie or use it to my knowledge but I have seen that this code should be used to end a session, therefore I presume there is a valid reason and that the SESSION must use the COOKIE and I am wondering if $_COOKIE['username'] should be sanitized each time the user goes to a different page in their administraion pages, I have seen that the filter_input functions have an option to filter cookie input. I apologise for not fully understanding what the cookies in this situation are used for, all I do is actually set the session on login and and end it on logout.

Would I need to be doing something like:

if(filter_has_var(INPUT_COOKIE, "username")) {

$cleancookie = filter_input(INPUT_COOKIE, 'username', FILTER_SANITIZE_STRING);

$_COOKIE['username'] = trim($cleancookie);

Perhaps it would also help if I knew why I was having to reset the session cookies when I end a session, if someone would kindly explain.

Further to sanitizing the session cookies what about the value stored in $_SESSION['username'], as the user moves between their admin pages should this value be sanitized and if so please could someone advise me of the best method to do this. Would I have to perhaps validate it against expected values of just say letters and numbers?

Thank you in advance for any help, information and answers to help me understand and resolve the above security issues.

Report · Aug 29, 2012

tessimon wrote:
Perhaps it would also help if I knew why I was having to reset the session cookies when I end a session, if someone would kindly explain.

PHP sessions rely on cookies being enabled, but they don't use cookies to store values such as username. Instead they create session variables.

The difference is that the values in a cookie are stored on the user's computer. The values in session variables are stored on the server. The only value that's stored on the user's computer is the session ID (which is stored as a cookie).

When closing a session, using unset() for session variables followed by session_destroy() should be sufficient. If you have a large number of session variables, the following line of code has the effect of destroying them all:

$_SESSION = array();

Running session_destroy() then removes the session ID from the user's computer.

Report · Aug 30, 2012

Thanks David,

Just to confirm my understand, the...

// invalidate the session cookie

if (isset($_COOKIE['username'])) {

setcookie('username', '', time()-86400, '/');

}

...in my code is irrelevant in this situation and can be removed?

Leaving:

unset($_SESSION['username']);

session_destroy();

What about the security of the SESSION ID variable that is stored as a cookie on the users computer, can this be corrupted? Is there a way I should be sanitizing its value as the user moves between their admin pages, each admin page always checks isset($_SESSION['username']) before doing anything on each page, but I do not compare the value of the session to the database on every page I only do this when the user logs in? I am just trying to cover all the security angles of my site before it goes on line.

Thank you for your explanation and I look forward to confirmation / comments on the above.

best regards.

Report · Aug 30, 2012

tessimon wrote:
// invalidate the session cookie
if (isset($_COOKIE['username'])) {
setcookie('username', '', time()-86400, '/');
}
...in my code is irrelevant in this situation and can be removed?
Leaving:
unset($_SESSION['username']);
session_destroy();

Yes. That should be sufficient.

What about the security of the SESSION ID variable that is stored as a cookie on the users computer, can this be corrupted?

After someone has logged in, it's generally considered a good idea to regenerate the session ID using session_regenerate_id(). It needs to be done only once at the point the user's credentials have been verified.

Report · Aug 30, 2012

Thank you so much, I was not aware of the session_regenerate_id(), I will do this after I have verified the user with the database as you suggested.

best regards.

Date: Thu, 30 Aug 2012 09:25:13 -0600

From: forums@adobe.com

To: linda.barker7@hotmail.com

Subject: sanitize and validation of sessions and cookies

Re: sanitize and validation of sessions and cookies

created by David_Powers in Developing server-side applications in Dreamweaver - View the full discussion

tessimon wrote: // invalidate the session cookieif (isset($_COOKIE['username'])) {setcookie('username', '', time()-86400, '/');} ...in my code is irrelevant in this situation and can be removed? Leaving:unset($_SESSION['username']);session_destroy();Yes. That should be sufficient.What about the security of the SESSION ID variable that is stored as a cookie on the users computer, can this be corrupted?After someone has logged in, it's generally considered a good idea to regenerate the session ID using session_regenerate_id(). It needs to be done only once at the point the user's credentials have been verified.

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Forums

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

sanitize and validation of sessions and cookies

1 Correct answer