PHP Sessions
Securing PHP HTTP and HTTPS sessions to conform to PCI DSS
session create
if ($_SERVER['HTTPS'] != 'on') {
// HTTP
if ($_COOKIE[COOK_SECURED]) {
// redirect back to https
$url = 'https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
exit;
}
session_set_cookie_params(COOK_LIFE, COOK_PATH, COOK_DOM, false);
session_start();
else {
// HTTPS
session_set_cookie_params(COOK_LIFE, COOK_PATH, COOK_DOM, true);
session_start();
if (!isset($_SESSION[SESS_OLD_ID])) {
$old_sessionid = session_id();
$ss = session_encode();
session_regenerate_id(true);
session_decode($ss);
$_SESSION[SESS_OLD_ID] = $old_sessionid;
setcookie(COOK_SECURED, 1);
}
}
// HTTP
if ($_COOKIE[COOK_SECURED]) {
// redirect back to https
$url = 'https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
exit;
}
session_set_cookie_params(COOK_LIFE, COOK_PATH, COOK_DOM, false);
session_start();
else {
// HTTPS
session_set_cookie_params(COOK_LIFE, COOK_PATH, COOK_DOM, true);
session_start();
if (!isset($_SESSION[SESS_OLD_ID])) {
$old_sessionid = session_id();
$ss = session_encode();
session_regenerate_id(true);
session_decode($ss);
$_SESSION[SESS_OLD_ID] = $old_sessionid;
setcookie(COOK_SECURED, 1);
}
}
session destory
if (isset($_SESSION[SESS_OLD_ID])) {
session_unset();
session_destroy();
if (isset($_COOKIE['PHPSESSID'])) setcookie('PHPSESSID', '', time()-100, COOK_PATH, COOK_DOM);
if (isset($_COOKIE[COOK_SECURED])) setcookie(COOK_SECURED, '', time()-100, COOK_PATH, COOK_DOM);
$url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
}
session_unset();
session_destroy();
if (isset($_COOKIE['PHPSESSID'])) setcookie('PHPSESSID', '', time()-100, COOK_PATH, COOK_DOM);
if (isset($_COOKIE[COOK_SECURED])) setcookie(COOK_SECURED, '', time()-100, COOK_PATH, COOK_DOM);
$url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
}
REFERRERS
PhpSecurity
