Php Insecure Session Expiration
Description
Detects insecure PHP session cookie lifetime configurations that could enable session hijacking. A session cookie lifetime that is too long (over 25 minutes) or set to never expire (0) allows attackers more time to steal and replay session cookies.
Detection Strategy
• Examines php.ini configuration files for the session.cookie_lifetime setting
• Reports a vulnerability if cookie lifetime is set to 0 (never expires)
• Reports a vulnerability if cookie lifetime exceeds 1500 seconds (25 minutes)
• Checks the value directly in the configuration without requiring the PHP application to be running
Vulnerable code example
[Session]
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
;session.cookie_secure = ; VULNERABLE: cookie_secure not enabled, allows transmission over non-HTTPS
session.cookie_lifetime = 0✅ Secure code example
[Session]
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.cookie_secure = 1 ; Ensures cookies are only sent over HTTPS
session.cookie_httponly = 1 ; Prevents JavaScript access to session cookie
session.cookie_samesite = "Strict" ; Protects against CSRF attacks
session.use_strict_mode = 1 ; Prevents session fixation attacks...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.