rspec/rules/S5328/php/rule.adoc

If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length ...) an attacker may be able to hijack another user's session.


== Ask Yourself Whether

* the session ID is not unique.
* the session ID is set from a user-controlled input.
* the session ID is generated with not secure pseudo random generator.
* the session ID length is too short.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Don't manually generate session IDs, use instead language based native functionality.


== Sensitive Code Example

----
session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short
session_id($_POST["session_id"]); // Sensitive: session ID can be specified by the user
----


== Compliant Solution

[source,php]
----
session_regenerate_id(); ; // Compliant
session_id(bin2hex(random_bytes(16))); // Compliant
----


== See

* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation]
* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values
* https://cwe.mitre.org/data/definitions/340[MITRE, CWE-340] - Generation of Predictable Numbers or Identifiers
* https://www.php.net/random-bytes[PHP: random_bytes()]
* https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()] 


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length ...) an attacker may be able to hijack another user's session.`


			`== Ask Yourself Whether`

			`* the session ID is not unique.`
			`* the session ID is set from a user-controlled input.`
			`* the session ID is generated with not secure pseudo random generator.`
			`* the session ID length is too short.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`Don't manually generate session IDs, use instead language based native functionality.`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Sensitive Code Example`

			`----`
			`session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short`
			`session_id($_POST["session_id"]); // Sensitive: session ID can be specified by the user`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`session_regenerate_id(); ; // Compliant`
			`session_id(bin2hex(random_bytes(16))); // Compliant`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

			`== See`

Fix typo in OWASP links from the See section (#807) * Fix typos in OWASP Top 10 2017 links * Fixing wrong URI in OWASP Top 10 2021 A4 links 2022-02-10 09:11:45 +01:00			`* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design`
RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
			`* https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation]`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values`
			`* https://cwe.mitre.org/data/definitions/340[MITRE, CWE-340] - Generation of Predictable Numbers or Identifiers`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`* https://www.php.net/random-bytes[PHP: random_bytes()]`
			`* https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()]`

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`