Healthcare applications are prime targets for attackers.
One prescription data breach. One session hijacking. One CSRF exploit. That's all it takes to expose 500+ patient records, destroy trust, and face regulatory penalties.
After processing 1,100+ prescriptions with zero security incidents, here's exactly how VaidyaAI implements session management and CSRF protection that actually works in production.
0
Security Incidents
1,100+
Prescriptions Protected
30min
Session Timeout
100%
CSRF Coverage
Why Healthcare Applications Are Different
Standard web app security isn't enough for healthcare. Here's why:
🏥 Healthcare Security Requirements
- HIPAA compliance: Patient data must be encrypted and access-controlled
- Audit trails: Every action logged with timestamp and user
- Role-based access: Doctors see different data than pharmacists
- Session persistence: Can't log users out mid-prescription
- Multi-device support: Doctor on tablet, pharmacist on desktop
- Zero downtime tolerance: Lives depend on system availability
VaidyaAI handles all of this in a monolithic PHP application. No microservices complexity. Just solid security fundamentals executed correctly.
The Attack Vectors We're Defending Against
Before diving into solutions, let's understand the threats:
Attack 1: Session Hijacking
// Attack scenario:
1. Doctor logs in → Gets session ID: abc123xyz
2. Attacker intercepts session ID (via XSS, network sniffing, etc.)
3. Attacker uses stolen session ID to impersonate doctor
4. Attacker can now view/modify all patient data
// Impact:
- Full account takeover
- Access to 500+ patient records
- Can create fraudulent prescriptions
- Can modify existing prescriptions
- HIPAA violation → $50,000+ fine per violation
Attack 2: Cross-Site Request Forgery (CSRF)
// Attack scenario:
1. Doctor logged into VaidyaAI (session active)
2. Doctor visits malicious site (in another tab)
3. Malicious site sends forged request to VaidyaAI:
<img src="https://clinical.careandcures.icu/api?action=delete_patient&id=123">
4. Request executes using doctor's active session
5. Patient data deleted without doctor's knowledge
// Impact:
- Data manipulation
- Unauthorized prescription creation
- Patient record deletion
- Audit trail corruption
Attack 3: Session Fixation
// Attack scenario:
1. Attacker creates session: evil123
2. Attacker tricks doctor into using that session
(via phishing link with ?PHPSESSID=evil123)
3. Doctor logs in, session evil123 becomes authenticated
4. Attacker now has authenticated session
// Impact:
- Account compromise
- Shared authentication state
- Can monitor all doctor activities
Defense Layer 1: Secure Session Configuration
First line of defense: Configure PHP sessions correctly from the start.
// VaidyaAI session initialization (runs before any output)
// File: index.php (lines 1-50)
session_start();
// CRITICAL: Set secure session parameters
ini_set('session.cookie_httponly', '1'); // Prevent JavaScript access
ini_set('session.cookie_secure', '1'); // HTTPS only
ini_set('session.use_strict_mode', '1'); // Reject uninitialized sessions
ini_set('session.cookie_samesite', 'Strict'); // CSRF protection
// Regenerate session ID on login to prevent fixation
if (isset($_POST['action']) && $_POST['action'] === 'login') {
session_regenerate_id(true); // Delete old session
}
// Session timeout: 30 minutes of inactivity
if (isset($_SESSION['last_activity']) &&
(time() - $_SESSION['last_activity'] > 1800)) {
// Session expired
session_unset();
session_destroy();
header('Location: /login?timeout=1');
exit;
}
// Update last activity timestamp
$_SESSION['last_activity'] = time();
// Store user agent and IP for validation
if (!isset($_SESSION['user_agent'])) {
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];
}
// Validate session hasn't been hijacked
if ($_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'] ||
$_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) {
// Session hijacking detected
session_destroy();
header('Location: /login?security_alert=1');
exit;
}
Why Each Setting Matters
| Setting | Purpose | Attack Prevented |
|---|---|---|
| cookie_httponly | Prevents JavaScript from accessing session cookie | XSS → Session theft |
| cookie_secure | Transmits cookie only over HTTPS | Network sniffing |
| use_strict_mode | Rejects attacker-supplied session IDs | Session fixation |
| cookie_samesite | Prevents cross-site cookie transmission | CSRF attacks |
| session_regenerate_id | Creates new session ID after login | Session fixation |
| User agent validation | Detects if session used from different browser | Session hijacking |
Defense Layer 2: CSRF Token Implementation
Every state-changing request must include a valid CSRF token. Here's the complete implementation:
Token Generation
// Generate CSRF token on session start
function generateCSRFToken() {
if (!isset($_SESSION['csrf_token'])) {
// Generate cryptographically secure random token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// Store token creation time for rotation
$_SESSION['csrf_token_time'] = time();
}
// Rotate token every hour (prevents token fixation)
if (time() - $_SESSION['csrf_token_time'] > 3600) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
$_SESSION['csrf_token_time'] = time();
}
return $_SESSION['csrf_token'];
}
// Initialize CSRF token for every page
$csrfToken = generateCSRFToken();
Token Validation
// Validate CSRF token on every POST/API request
function validateCSRFToken($token) {
if (!isset($_SESSION['csrf_token'])) {
return false;
}
// Use hash_equals to prevent timing attacks
return hash_equals($_SESSION['csrf_token'], $token);
}
// API request handler with CSRF protection
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// All POST requests must include CSRF token
$submittedToken = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!validateCSRFToken($submittedToken)) {
// CSRF attack detected
http_response_code(403);
echo json_encode([
'success' => false,
'error' => 'Invalid CSRF token'
]);
// Log security incident
logSecurityIncident('csrf_violation', [
'ip' => $_SERVER['REMOTE_ADDR'],
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
'endpoint' => $_POST['action'] ?? 'unknown'
]);
exit;
}
}
Token Injection in Forms
// HTML form example
<form method="POST" action="/api">
<!-- Hidden CSRF token field -->
<input type="hidden" name="csrf_token"
value="<?= htmlspecialchars($csrfToken) ?>">
<input type="text" name="patient_name" required>
<button type="submit">Save</button>
</form>
// AJAX request example
<script>
function createPrescription(data) {
return fetch('/api', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': '<?= $csrfToken ?>' // Token in header
},
body: JSON.stringify(data)
});
}
</script>
Defense Layer 3: Role-Based Access Control (RBAC)
Not all authenticated users should access all features. VaidyaAI implements strict RBAC:
// User roles (from database)
const ROLES = [
'super_admin' => ['*'], // Full access
'admin' => ['manage_users', 'view_reports', 'manage_inventory'],
'doctor' => ['create_prescription', 'view_patients', 'update_prescription'],
'pharmacist' => ['approve_prescription', 'manage_inventory', 'create_sale'],
'nurse' => ['view_prescription', 'dispense_medicine']
];
// Permission check function
function hasPermission($requiredPermissions) {
if (!isset($_SESSION['user_id']) || !isset($_SESSION['role'])) {
return false;
}
$userRole = $_SESSION['role'];
// Super admin has all permissions
if ($userRole === 'super_admin') {
return true;
}
// Check if user role has required permissions
$userPermissions = ROLES[$userRole] ?? [];
foreach ($requiredPermissions as $permission) {
if (!in_array($permission, $userPermissions)) {
return false;
}
}
return true;
}
// Usage in API endpoints
if ($_POST['action'] === 'delete_patient') {
// Only super_admin and admin can delete patients
if (!hasPermission(['manage_users'])) {
http_response_code(403);
echo json_encode([
'success' => false,
'error' => 'Insufficient permissions'
]);
exit;
}
// Proceed with deletion...
}
Defense Layer 4: Comprehensive Audit Logging
Every security-relevant action must be logged:
// Audit log function
function logAuditActivity($pdo, $userId, $action, $details, $oldValue = null, $newValue = null) {
$stmt = $pdo->prepare("
INSERT INTO activity_log
(user_id, action, details, old_value, new_value, ip_address, user_agent, clinic_id)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)
");
$stmt->execute([
$userId,
$action,
$details,
json_encode($oldValue),
json_encode($newValue),
$_SERVER['REMOTE_ADDR'],
$_SERVER['HTTP_USER_AGENT'],
getClinicId()
]);
}
// Example usage: Log prescription creation
logAuditActivity(
$pdo,
$_SESSION['user_id'],
'create_prescription',
"Created prescription for patient #$patientId",
null,
$prescriptionData
);
// Example usage: Log sensitive data modification
logAuditActivity(
$pdo,
$_SESSION['user_id'],
'update_patient',
"Updated patient #$patientId allergies",
$oldAllergies, // Old value for audit trail
$newAllergies // New value
);
What Gets Logged
📝 Audit Log Coverage
- Authentication: Login, logout, failed attempts, session timeouts
- Authorization: Permission denials, role changes
- Data access: Patient record views, prescription views
- Data modification: Create, update, delete operations
- Security events: CSRF violations, session hijacking attempts
- Administrative actions: User creation, role assignments, settings changes
Defense Layer 5: SQL Injection Prevention
Healthcare apps handle sensitive queries. One SQL injection = game over.
The Wrong Way (Vulnerable)
// ❌ NEVER DO THIS - SQL Injection vulnerability
$patientId = $_GET['id'];
$query = "SELECT * FROM patients WHERE id = $patientId";
$result = mysqli_query($conn, $query);
// Attacker payload: ?id=1 OR 1=1
// Executed query: SELECT * FROM patients WHERE id = 1 OR 1=1
// Result: Returns ALL patient records
The Right Way (Secure)
// ✅ ALWAYS DO THIS - Prepared statements
$patientId = $_GET['id'];
$stmt = $pdo->prepare("SELECT * FROM patients WHERE id = ?");
$stmt->execute([$patientId]);
$patient = $stmt->fetch();
// Attacker payload: ?id=1 OR 1=1
// PDO treats entire input as string: "1 OR 1=1"
// Result: No match found (safe)
// VaidyaAI uses prepared statements for 100% of queries
// Lines analyzed: 24,113
// SQL injection vulnerabilities found: 0
Defense Layer 6: XSS Prevention
Cross-Site Scripting allows attackers to inject malicious JavaScript. Healthcare data displayed = must be escaped.
// ❌ VULNERABLE: Raw output
echo "<p>Patient name: " . $_POST['name'] . "</p>";
// Attacker payload: <script>fetch('/api?action=steal_data')</script>
// Result: JavaScript executes, steals session
// ✅ SECURE: Escaped output
echo "<p>Patient name: " . htmlspecialchars($_POST['name'], ENT_QUOTES, 'UTF-8') . "</p>";
// Attacker payload: <script>...</script>
// Displayed as text: <script>...</script>
// Result: Harmless text display
// VaidyaAI escapes ALL user input before display
function escape($text) {
return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
}
// Usage everywhere:
echo "<td>" . escape($patient['name']) . "</td>";
Real-World Security Metrics
After 8 months in production with 1,100+ prescriptions:
0
Security Breaches
0
CSRF Attacks
0
Session Hijacks
0
SQL Injections
Security Incidents Logged (But Prevented)
| Incident Type | Attempts Detected | Outcome |
|---|---|---|
| Invalid CSRF tokens | 7 | Blocked |
| Session timeout attempts | 23 | Logged out |
| Permission violations | 12 | Access denied |
| Suspicious user agent changes | 3 | Session destroyed |
Key insight: Attacks happen. Good security detects and prevents them.
Security Checklist: Are You Covered?
✅ VaidyaAI Security Checklist (All Implemented)
- Session security: HTTPOnly, Secure, SameSite cookies
- CSRF protection: Tokens on all POST requests
- Session regeneration: New ID after login
- Session timeout: 30 minutes inactivity
- User agent validation: Detect session hijacking
- IP validation: Additional hijacking detection
- Role-based access: Granular permissions
- Audit logging: Every action logged
- Prepared statements: 100% of SQL queries
- XSS prevention: All output escaped
- HTTPS enforcement: All traffic encrypted
- Security headers: CSP, X-Frame-Options, etc.
Key Takeaways: Production Security That Works
- Configure sessions correctly: HTTPOnly, Secure, SameSite, strict mode
- CSRF tokens everywhere: Every form, every AJAX request, no exceptions
- Regenerate session IDs: After login to prevent fixation
- Validate session integrity: User agent + IP checks detect hijacking
- 30-minute timeout: Balance security vs UX in clinical workflows
- Use prepared statements: 100% of queries, zero SQL injection risk
- Escape all output: htmlspecialchars() on every user input display
- Log everything: Audit trail for compliance and forensics
- Role-based access: Principle of least privilege
- Test security: Attempt attacks on your own system
Security isn't a feature. It's not optional. It's the foundation everything else is built on. Get it right from day one, or don't ship.
The Bottom Line
VaidyaAI protects 500+ patients, 1,100+ prescriptions, and 8 team members with zero security incidents.
Not because we're security experts. Because we implemented proven fundamentals correctly:
- Secure session configuration
- CSRF tokens on every request
- Prepared statements for all queries
- Escaped output everywhere
- Role-based access control
- Comprehensive audit logging
That's it. No magic. Just solid engineering.
Security Matters in Healthcare
VaidyaAI is built security-first. Zero breaches. Zero compromises. Zero excuses.