[3.x][security improvement] make PHP sessions more secure

[devplanete]

I have find interesting information on session_start on this link http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL#Create_PHP_Functions

It seems that session_start() is not enough to really have a "safe" session well protected agains XSS attack and session hijacking.

The article propose to replace session_start by the secure_session_start below.
This function makes your login script a whole lot more secure. It stops hackers been able to access the session id cookie through javascript (For example in an XSS attack).
Also by using the "session_regenerate_id()" function, which regenerates the session id on every page reload, helping prevent session hijacking.

function secure_session_start() {
        $session_name = 'sec_session_id'; // Set a custom session name
        $secure = false; // Set to true if using https.
        $httponly = true; // This stops javascript being able to access the session id. 

         ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. 
        $cookieParams = session_get_cookie_params(); // Gets current cookies params.
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
        session_name($session_name); // Sets the session name to the one set above.
        session_start(); // Start the php session
        session_regenerate_id(); // regenerated the session, delete the old one.  
}

Looks nice?

[GrahamCampbell]

I'd disagree with regenerating the session id on each request. I only do it on login/logout.

[GrahamCampbell]

I personally would use these settings in addition to the ones you mentioned:

session_set_cookie_params(900);
ini_set('session.gc_maxlifetime', 900);
ini_set('session.hash_function', 'whirlpool');

[panique]

Would be cool if somebody could implement (and test) this into the new https://github.com/panique/php-login-advanced and the new 4-full-mvc which is now in the develop of THIS repo.

Seems to be a cool feature, but could also be a massive security hole if wrongly implemented. Currently I don't have the time to do this :(

[panique]

Moved this to 3.0

[panique]

This feature has now been implemented (in develop and master branch), but a new session id is only created at some security-critical points inside the application.

Please have a look into #693 to some really information and for sure the merged code.