Jump to content

Php Session Security


interfasys

Recommended Posts

  • 2 weeks later...

I've just looked at a few settings from that page and although hosts can implement most of them on their own, Blesta could tighten the security of their session management using some of the tips found on that page unless you're not using PHP sessions.

 

I meant, what explicitly do you think we should consider? safe mode added in 5.4? What's else? Blesta already uses HTTPOnly. Secure cookies isn't feasible because not everyone forces SSL. That's why I'm asking, specifically, what options you think Blesta should support.

Link to comment
Share on other sites

 

Ah.

session.cookie_httponly = On
session.hash_function = "sha256"
session.cookie_secure=On

The last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already.

 

It sounds like everything you want done are things that the host should be doing mainly or are configurations that you can do to the server.

Link to comment
Share on other sites

Ah.

session.cookie_httponly = On
session.hash_function = "sha256"
session.cookie_secure=On
The last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already.
I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it.
Link to comment
Share on other sites

I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it.

If i understand the OP correctly, this could be used.

ini_set( 'session.cookie_httponly', 1 );

But it can be done using htaccess too

<IfModule php5_module>

php_value session.cookie_httponly true

</IfModule>

more

http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php

Link to comment
Share on other sites

It sounds like everything you want done are things that the host should be doing mainly or are configurations that you can do to the server.

Yeah, but as we know, hosts don't care, some still run Blesta on PHP 5.2, so it's best to be proactive with these things and help them protect their customers' data.

 

I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it.

It could be made optional from the settings tab. There could be a new security section where you can enable all these things.

 

If i understand the OP correctly, this could be used.

ini_set( 'session.cookie_httponly', 1 );

But it can be done using htaccess too

<IfModule php5_module>

php_value session.cookie_httponly true

</IfModule>

more

http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php

Never do it via .htaccess in 2014! ini_set is the way to go.

Link to comment
Share on other sites

  • 6 years later...

I notice many customer management and support system for web hosting providers does not follow some security practices when it comes to session. Security standards are vital to the well-being of any website, large or small. That’s why site owners are often bombarded by warnings of security risks. Like for instance, after hours of surfing for why encryption is important for data protection in PHP, I got this php encode password which in-detail have shown how to secure data from hackers.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...