rspec/rules/S5328/php/rule.adoc

If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length ...) an attacker may be able to hijack another user's session.


== Ask Yourself Whether

* the session ID is not unique.
* the session ID is set from a user-controlled input.
* the session ID is generated with not secure pseudo random generator.
* the session ID length is too short.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Don't manually generate session IDs, use instead language based native functionality.


== Sensitive Code Example

----
session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short
session_id($_POST["session_id"]); // Sensitive: session ID can be specified by the user
----


== Compliant Solution

----
session_regenerate_id(); ; // Compliant
session_id(bin2hex(random_bytes(16))); // Compliant
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://www.owasp.org/index.php/Session_fixation[OWASP Sesssion Fixation]
* https://cwe.mitre.org/data/definitions/330.html[MITRE, CWE-330] - Use of Insufficiently Random Values
* http://cwe.mitre.org/data/definitions/340[MITRE, CWE-340] - Generation of Predictable Numbers or Identifiers
* https://www.php.net/random-bytes[PHP: random_bytes()]
* https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()] 


ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]