Configuring PHP Sessions
Now that we know how to use sessions and have built a simple login system, let’s take a look at some options for configuring PHP sessions.
Out of the box, PHP is configured to file-based sessions with a max lifetime of 1440 seconds (a mere 24 minutes). Garbage collection probability is set to 1/100 or 1% of the time. As of PHP 5 you can set the hash function that’s used but it’s set to MD5 (128-bits) by default with no entropy file (unless you’re on 5.4+ which sets it to /dev/urandom or /dev/arandom .
These settings will do fine for many scenarios, but what if you want sessions to last longer or perhaps up your session security a bit? To accomplish these things you will either want to make changes to your php.ini or by way of the ini_set() function in your code.
session.gc_maxlifetime
This is how long a session has to live before the garbage collection routine will purge it. I generally set this to 86400 (24 hours) on websites where I know users log in every day.
session.gc_probability and session.gc_divisor
Is garbage collection 1% of the time too often or not enough for your taste? If that’s the case, you can make a change to session.gc_divisor to run it less often (increase the value) or more often (decrease the value). The probability of garbage collection is calculated as session.gc_probability / session.gc_divisor .
session.hash_function
As mentioned, the default hash function is MD5, but what if we wanted something a bit longer to add more complexity to the session ID? If that’s the case you can set the hash function to 1 which will tell it to use SHA-1 which is 160-bits. Since PHP 5.3 you can specify any of the registered hash functions returned by hash_algos() .
session.name
Speaking of session names, by default PHP session ID’s are prefixed with PHPSESSID . To help combat against someone attempting to hijack a domain by guessing session ID’s, you could change the name to something unique and less guessable.
session.entropy_file and session.entropy_length
If you’re running Ubuntu 12.04 LTS like me you probably are still using PHP 5.3 which by default doesn’t set these values. The entropy file is what is used to seed the session ID generator and the length is how many bits will be read for the seed. You can specify any program to be used as the seed, I usually go with /dev/urandom with a length of 512.
And all the rest
There are more configuration options out there as I only covered the configuration options I’ve interacted with before. If you are interesting in learning about all of the available options, you can find them here.
Good stuff? Want more?
100% Fresh, Grade A Content, Never Spam.
About Josh
Husband. Father. Pug dad. Musician. Founder of Holiday API, Head of Engineering and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.
Php session hash function
By securing session related INI settings, developers can improve session security. Some important INI settings do not have any recommended settings. Developers are responsible for hardening session settings.
- session.cookie_lifetime=0 0 possesses a particular meaning. It informs browsers not to store the cookie to permanent storage. Therefore, when the browser is terminated, the session ID cookie is deleted immediately. If developers set this other than 0, it may allow other users to use the session ID. Most applications should use » 0 » for this. If an auto-login feature is required, developers must implement their own secure auto-login feature. Do not use long life session IDs for this. More information can be found above in the relevant section.
- session.use_cookies=On session.use_only_cookies=On Although HTTP cookies suffer some problems, cookies remain the preferred way to manage session IDs. Only use cookies for session ID management when it is possible. Most applications should use a cookie for the session ID. If session.use_only_cookies=Off, the session module will use the session ID values set by GET or POST provided the session ID cookie is uninitialized.
- session.use_strict_mode=On Although, enabling session.use_strict_mode is mandatory for secure sessions. It is disabled by default. This prevents the session module to use an uninitialized session ID. Put differently, the session module only accepts valid session IDs generated by the session module. It rejects any session ID supplied by users. Due to the cookie specification, attackers are capable to place non-removable session ID cookies by locally setting a cookie database or JavaScript injections. session.use_strict_mode can prevent an attacker-initialized session ID of being used.
Note: Attackers may initialize a session ID with their device and may set the session ID of the victim. They must keep the session ID active to abuse. Attackers require additional steps to perform an attack in this scenario. Therefore, session.use_strict_mode works as a mitigation.
Note: Some session save handler modules do not use this setting for probability based expiration. E.g. memcached, memcache. Refer to the session save handler documentation for details.