Securing user sessions and data for web app using Php and Mysql

Question

I need to create a very strong and secure session using PHP and Mysql. I'm reading the following guide: Create a Secure Session Management System in PHP and MySQL; it is secure and solid? Please post the best method to secure a session.

At the moment the security is granted by this little script based on the guide above, but i know is not so secure, please help me to improve it:

function sec_session_start() {
  $session_name = "";
  $secure = true; // Imposta il parametro a true se vuoi usare il protocollo 'https'.
  $httponly = true; // Questo impedirà ad un javascript di essere in grado di accedere all'id di sessione.
  ini_set('session.use_only_cookies', 1); // Forza la sessione ad utilizzare solo i cookie.
  $cookieParams["lifetime"] = 1440;
  $cookieParams = session_get_cookie_params(); // Legge i parametri correnti relativi ai cookie.
  session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
  session_name($session_name); // Imposta il nome di sessione con quello prescelto all'inizio della funzione.
  session_start(); // Avvia la sessione php.
  session_regenerate_id(true); // Rigenera la sessione e cancella quella creata in precedenza.
}

My server is now a simple machine with Ubuntu, I installed only a few programs like apache, php5, mysql, phpmyadmin and webmin. Currently is active access via ssh and I think this can generate problems for safety, but for the moment, the project is not launched and then there aren't these type of problems. I'm using PDO for all SQL scripts.

More than anything I need information on how to improve the security of sessions in PHP because in my opinion these are the most at risk for the moment. I'm also trying to optimize the script against SQL injection, brute force attack, and DDos.

Answer 1

Building a secure web client-server app contains a lot of moving parts, and a lot depends on deployment: single machine at home vs hosted slice vs hosted VM vs physical co-located cluster... And the overall architecture of your application.

Based on the guide you reference ("How to Create a Secure Session Managment System in PHP and MySQL") and the fact you care most about the security of the sessions, I'll focus my answer on this aspect of security.

Note that the guide you reference is addressing specifically the ability to securely store session information in the database by using encryption. The guide will protect your user's session data in the event that someone hacks into your server and has access to your machine and is able to read your database.

The guide you reference explicitly does not address establishing a secure connection via https, which alone has a lot of moving parts, from the way the server is configured to the versions of SSL/TLS you allow clients to connect with. Be sure to allow only the more recent and secure variants. This is probably covered in many other SO posts and internet guides. The definitive guide to form-based website authentication looks like a good start.

The guide you are using seems like a decent start for ensuring that sensitive session data stored in your database is protected via encryption in the event a hacker "owns" (has full access) to your server. I'm sure, as with any security question, there are parts to criticize in the guide, as nothing is completely foolproof.

A good start on security is just making it non-trivial to hack; you'll need to do a lot more than that if you are a high-value target, such as a bank or a merchant storing credit card numbers, or even social security numbers and personal information that could be used for financial fraud.

To evaluate the security of the SSL configurations and software on your server, enter your domain at the following SSL Labs Website Verification Site and receive and A+ to F- grade with a detailed report card.

The guide you've been reading does nothing to reduce the risk of SQL injection, which is best done by sanitizing any user input before sending to the database, as well as writing very good PHP and JavaScript to prevent any exploitable bugs. Of course, brute force and DoS are other topics not addressed.

I'd say that the passwords for phpmyadmin and webmin are very important to secure, because any admin-level password access to your machine is a vulnerability. Use strong, non-guessable passwords and avoid accessing the server from unknown or public wifi hotspots. If you like to ssh to your machine to configure it, consider measures such as disallowing password-based authentication (go to a key-based auth instead). Running the ssh daemon on an alternate port can discourage a lot of "script kiddie" style hackers as well as a huge number of bot-nets.

Some security tactics to avoid are given in this editorial called The Six Dumbest Ideas in Computer Security. It's a bit dated (2005) but gives some useful (but opinionated) big-picture ideas on a philosophy of security.

Finally, read all that you can from reputable sources, take them all with a grain of salt, and form your own (informed) opinions!

Good luck with your project!