slim-auth
slim-auth copied to clipboard
jeremykendall
Security options (Update documentation to include details on session security)
With the old solution, using SessionCookie, I was able to set some encryption- and secret key-options. Are there any security related options I should set using Zend sessions?
Yes, there are, although at first glance they're not as explicit as the SessionCookie settings.
First I'd review your php.ini cookie settings using an automated tool. I prefer psecio/iniscan.
composer install psecio/iniscan
# ... wait for installation to complete ...
./vendor/bin/iniscan scan --path /path/to/php.ini
Here's an example of the output of the cookie section of the iniscan:
./vendor/bin/iniscan scan --path /etc/php5/fpm/php.ini
== Executing INI Scan [03.31.2015 14:05:50] ==
Results for /etc/php5/fpm/php.ini:
============
Status | Severity | PHP Version | Key | Description
----------------------------------------------------------------------
PASS | ERROR | | session.use_cookies | Accepts cookies to manage sessions
PASS | ERROR | 4.3.0 | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link
PASS | WARNING | | session.cookie_domain | It is recommended that you set the default domain for cookies.
PASS | ERROR | 5.2.0 | session.cookie_httponly | Setting session cookies to 'http only' makes them only readable by the browser
PASS | ERROR | 4.3.0 | session.bug_compat_42 | An undocumented feature/bug that allows initialize of a session in the global scope even if register_globals is disabled for PHP up to 5.3.22
PASS | WARNING | 4.3.0 | session.bug_compat_warn | Disable warnings for session.bug_compat_42
PASS | WARNING | | session.hash_function | Check against a list of recommended session hashing functions
PASS | WARNING | | session.save_path | Session save path should be set and writeable by only the web user
PASS | ERROR | 4.0.3 | session.use_trans_sid | If used 'use_trans_sid' setting puts the session ID on the URL, making it easier to hijack
PASS | ERROR | 4.0.4 | session.cookie_secure | Cookie secure specifies whether cookies should only be sent over secure connections.
PASS | WARNING | | session.entropy_file | A file should be provided to help provide session entropy
PASS | WARNING | 5.5.2 | session.use_strict_mode | Strict mode prevents uninitialized session IDs in the built-in session handling.
The output will recommend some changes to your cookie settings which you can either implement directly in your php.ini or add to the SessionConfig as show below:
$sessionConfig = new SessionConfig();
$sessionConfig->setOptions(array(
'cookie_secure' => true,
'remember_me_seconds' => 60 * 60 * 24 * 7,
));
(RE: session.hash_function: You can verify the hashing algorithms available to your PHP installation by executing the following from the command line: php -r "var_dump(hash_algos());")
The PHP documentation on Sessions and security is excellent. I highly recommend reviewing it to better understand your options when it comes to securing sessions.
The Zend\Session documentation is not as clear as it could be, but it does show all of the settings available to SessionConfig. Any settings you add to SessionConfig are setting you don't have to update in php.ini, which is nice because you can change your settings programmatically based on your application environment.
I'll add examples to the Slim Auth sample implementation as soon as I get the chance.
Thanks for the excellent question, by the way. I'll make sure to update the documentation to include details on Zend\Session and session security.