Before I start on this subject I wanted to apologise for taking so long about writing this new post, I've been pretty ill recently and have only just started to recover, it was nothing major but I felt bad and couldn't concentrate enough to write this.
This post is the fourth part in my series about PHP session security and will focus on securing the connection between the client and the server. I've already covered keeping data secure on the server and the session ID secure on the client browser and as important as they are having a secure connection is also a must to stop anyone finding out what the users session ID is and hijacking it.
What is a secure connection
Generally this was done using a Secure Socket Layer (SSL) connection but more recently this has been superseded by Transport Layer Security (TLS) although it is still referred to as SSL in a lot of places. TLS isn't a totally new method of securing connections but is more of an evolution / upgrade from SSL, still there have been quite a few changes so they cannot interoperate.
Users can normally identify a secure connection as the URL will start with HTTPS (HyperText Transfer Protocol Secured). I'll write more about HTTPS, SSL & TLS in another post at a later date but understanding how they work shouldn't be important in securing PHP sessions.
Verified & unverified
There are two main types of TLS, verified and unverified (also referred to as certificated & non-certificated depending on the terminology you're using but they're the same thing). The main difference between these two is that a verified connection will verify the domain with the client browser so it knows the connection is to the correct site, but in an unverified connection this doesn't happen so the client doesn't know it's connected to the correct site but the connection it self is still secure. You may have noticed on some secured sites that you get a red warning message on your browser warning you that it cannot verify the TLS / SSL certificate (or words to that effect) and asking you if you want to continue or not, these are sites using an unverified TLS / SSL certificate.
Having a verified connection costs more money but when most people see that the connection is unverified with the red warning message there browser shows they will leave the site instantly, so for sites used by the general public you must have a verified certificate. Unverified SSL is useful for your own purposes where you'll know that you are connected to the correct domain and just want the connection to be secure, an example of this could be an admin system to your website.
How to make a connection secure
There are two main methods of implementing TLS / SSL which are either to have the connection security and cryptography done in hardware or having it all done in software, most (if not everyone) reading this will want to use software as it's the easier and cheaper method. The advantage of using hardware is that it's more efficient but it has the downside of being harder to upgrade and costing a lot more, it's only of real world use is on sites that have a large volume of traffic such as Facebook so I'll just be going over the software implementation here.
One thing to keep in mind when using a secure connection is that it does use extra resources on the server which is why you've probably not seen many sites which use a secure connection on every page, just the sensitive ones that require it. It's worth noting though on smaller sites that aren't using much bandwidth or server resources you probably won't notice the extra resources that the secure connection uses even if you were to implement it throughout the whole site.
One of the best places to start is by contacting your hosting provider and seeing if they can sort it out for you as a lot of them have procedures in place for setting up secure connections and getting certificates which makes the whole process a lot easier and quicker for you, possibly cheaper too.
If you want to actually do all the set up yourself you'll need to have a static IP address and full access to your server. You'll then need to buy the certificate, there are several places to do this and which is best depends on what exactly you're after and the country you're in so ask around, Google is a good place to start and VeriSign are well known for selling certificates. After you've purchased the SSL certificate you'll need to install / configure your web server (probably Apache) to use it, getting into the details of that is a bit outside the scope of this post and could do with a post all to itself. I'd recommend Googling around for it and asking on an online forum for advice, for some reason there doesn't seem to be many tutorials on the subject that I could find. Hopefully later on I'll get around to writing my own guide to configuring an Apache based server to use TLS / SSL.
Other parts in this series:
- Part 1 - Considerations
- Part 2 - Session storage on your server
- Part 3 - Session ID storage on the client
- Part 4 - Secure connections (you're here!)
- Part 5 - Session fixation