Are my session settings secure enough?

Question

I'm developing a file hosting and sharing web application.

Are the following PHP session settings secure enough?

ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_lifetime', 0); 
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool'); //is whirlpool that necessary?
ini_set('session.use_only_cookies', 1);
ini_set('session.hash_bits_per_character', 5);
ini_set('session.cookie_secure', 1);

session_name('sid');

session_start();

if (!isset($_COOKIE['sid'])) {
    $_SESSION['token'] = CryptoCharGen::alnum(); //20 chars
}

To add on to the security:

• Tying a cryptographically strong CSRF token to the user session for form validation.
• Regenerating a new session ID upon logging in and out and destroying the old session.
• Regenerating a new CSRF token upon successful submission of any form.

I've read to rename the default PHP session name, so I named it sid instead. Is that good enough?

Should I generate the session id with my own generator? (CryptoCharGen)

Should I be concerned about how I name my session variables?

Answer 1

You can also add session.entropy_length = 512 and session.use_trans_sid = 0.

Also do not forget to:

1. use https
2. regenerate session id if you change users permissions.
3. do sessions time out. Time depends on your app.

It has nothing to do with security, but why not to change session.hash_bits_per_character to 6. The bigger the number, the shorter the string sent from and to the server.

Answer 2

Here are few extra steps which can make session secure.

1. Limit the session validity for accepted short time
2. Always transmit session ids on SSL/TLS
3. Never send session ids on URLs (Use post method)
4. Make Strong CSRF tokens and Make sure CSRF tokens are validated.

You can find more on

• https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Session_Management