php - Session token - how does it work?

Question

I'm wondering how you could best protect sessions. I've searched a bit and find a lot of answers, but many of them are just too confusing.

How to prevent sessions from being hijacked? I've read a lot about "sessions tokens" you generate in a form, but really don't understand what their use is. How does this prevent session hijacking?

I know you don't save things like passwords in sessions, but what CAN you store in them safely? Permissions (like a session variabele which keeps track of the user level. Every time a page is opened, the session variabele is checked. It's it's not a certain number, you get an "access-denied" message displayed)? Or how do you handle this best?

Thank you!

Answer 1

You can basically store anything in the session that you want, it is just considered "best" practice not to include any security sensitive information, such as passwords, in case a layer of security is compromised.

The first step to preventing session hijacking is to not pass your session_id() via url. Users are stupid, and they will post links on their blogs with their session id, which would basically give whoever clicked that link access to their session. Therefore, it is recommended to store your session id in the users cookie.

With that said, you want to filter and escape all your user input. If you have an XSS injection, and the user is able to inject javascript, they will be able to read your cookies without a problem.

From there, you generally want to regenerate_session_id() on any major action on your website, to prevent session fixation.

It's pretty simple, and that about sums it up.