diff --git a/reference/session/security.xml b/reference/session/security.xml
index ad6c49f807..e41abb72e8 100644
--- a/reference/session/security.xml
+++ b/reference/session/security.xml
@@ -7,9 +7,9 @@
External links: Session fixation
- HTTP session management is core of web security. All of mitigation
- should be adopted to make sure session security. Developer should
- enable/use applicable security measures.
+ HTTP session management is the core of web security. All mitigations
+ should be adopted to make sure sessions are secured. Developers should
+ also enable/use applicable security measures.
@@ -52,10 +52,11 @@
- Even HTTPS cannot protect confidential data in contents sometimes.
- e.g. CRIME, Beast attack. There are many networks that use
- HTTPS MITM proxy for audit purpose. Attackers may setup such proxy
- also.
+ Even HTTPS cannot protect confidential data at all times.
+ For example the CRIME and Beast vulnerabilities may enable an
+ attacker to read the data. Also note that there are many networks
+ that use HTTPS MITM proxies for audit purposes. Attackers may also
+ set up such a proxy.
@@ -65,33 +66,33 @@
Non-Adaptive Session Management
- PHP's session manager is adaptive by default currently. Adaptive session manger
+ PHP's session manager is adaptive by default currently. Adaptive session manager
has additional risks.
Since PHP 5.5.2, session.use_strict_mode
- is available. When it is enabled and session save handler supports
- it, uninitialized session ID is rejected and new session ID is
- created. This protects attack that forces users to use known session
- ID. Attacker may paste links or send mail that contains session
+ is available. When it is enabled, and the session save handler supports
+ it, an uninitialized session ID is rejected and a new session ID is
+ created. This prevents an attack that forces users to use known session
+ ID. Attacker may paste links or send mail that contains the session
ID. e.g. http://example.com/page.php?PHPSESSID=123456789 If session.use_trans_sid is
- enabled, victim will start session using attacker provided session
- ID. session.use_strict_mode
+ enabled, the victim will start a session using the attacker provided
+ session ID. session.use_strict_mode
mitigates the risk.
- User defined save handler can also support strict session mode by implementing
- session ID validation function/method. All user defined save handlers must
- implement session ID validation function/method.
+ User defined save handlers can also support strict session mode by
+ implementing session ID validation. All user defined save handlers must
+ implement session ID validation.
- Session ID cookie could be set with domain, path, httponly, secure
+ The session ID cookie could be set with domain, path, httponly and secure
attributes. There is precedence defined by browsers. By using the
precedence, attacker can set session ID that could be used
permanently. Use of session.use_strict_mode
mitigates this risk. With session.use_strict_mode=On,
- uninitialized session ID will not be accepted. Session module
- creates new session ID always when session ID is not initialized by
- session module.
+ the uninitialized session ID will not be accepted.
Even though session.use_strict_mode
- mitigates risk of adoptive session management, attacker can force
+ mitigates the risk of adoptive session management, attacker can force
users to use initialized session ID which is created by attacker. e.g.
JavaScript injection. This attack could be mitigated by this manual's
recommendations.
@@ -127,7 +126,7 @@
When obsolete session access happened, you should save all active
session data for the user. It will be useful for investigation later.
- Then, force user to logout from all sessions. i.e. Require users
+ Then force the user to logout from all sessions. i.e. Require users
to re-authenticate. This way, you can prevent attackers from
keep abusing stolen sessions.
@@ -634,7 +633,7 @@
- session.trans_sid_tags=[limitted tags]
+ session.trans_sid_tags=[limited tags]
(PHP 7.1.0 >=) You should not rewrite unneeded HTML tags. Default
@@ -645,7 +644,7 @@
- session.trans_sid_hosts=[limitted hosts]
+ session.trans_sid_hosts=[limited hosts]
(PHP 7.1.0 >=) This INI defines whitelist hosts that allows trans sid
@@ -661,11 +660,12 @@
When session.use_trans_sid
- is enabled, use of this setting is recommended.
+ is enabled.
It reduces risk of session ID injection. If your site is
http://example.com/, set http://example.com/ to it. Note that when
- HTTPS is used, browser will not send referrer header. Browser may
- not send referrer header by configuration. Therefore, this setting
+ HTTPS is used the browser will not send the referrer header. Browsers may
+ not send the referrer header by configuration. Use of this
+ setting is recommended Therefore, this setting
is not reliable security measure.
@@ -676,7 +676,7 @@
Make sure HTTP contents are not cached for authenticated
- session. Allow caching only when contents is not private.
+ session. Allow caching only when contents are not private.
Otherwise, contents may be exposed. "private" may be used
if HTTP content does not include security sensitive data. Note
that "private" may leave private data cached by shared