会话劫持或攻击?
最近,我在错误日志中看到了这一点(每天 1 个,我每天有 40k 访客):
[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/my_files/class.session.php on line 67
[22-Sep-2009 21:13:52] PHP Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
[22-Sep-2009 21:13:52] PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0
这不是配置问题,因为它适用于每个人。
我已经修改了 php.ini 以实现以下内容:
session.use_only_cookies = 1
session.use_trans_sid = 0
我怀疑会话劫持或某种我不知道的攻击(我很偏执;))。
你知道它可能是什么吗?我可以做什么来提高安全性并避免这种情况?
Lately I have seen this in my error log (1 per day, and I have 40k visitors per day):
[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/my_files/class.session.php on line 67
[22-Sep-2009 21:13:52] PHP Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
[22-Sep-2009 21:13:52] PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0
This is not a config issue because it is working for everybody.
I already modified php.ini to have this:
session.use_only_cookies = 1
session.use_trans_sid = 0
I suspect a session hijacking or a kind of attack I am not aware of (I am parano ;) ).
Do you have any idea what it could be? What can I do to improve the security and avoid this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这里可能所做的是该客户端更改了 PHPSESSID cookie 的内容。通常,SessionID 类似于“62bf75fb02922cf9c83fb3521255b4ab”(十六进制)。
但是,用户可能使用某些工具修改了 cookie。这不会对您的网站和服务器造成任何损害,因为此修改是在客户端完成的,并且这样做不会影响服务器(除了生成这些错误)。您可以做的是,当您收到此类错误时,您可以更改会话 ID 并替换客户端上的会话 ID。
查看解决方案:
请记住,您无法通过 PHP 会话 cookie 替换文件或将文件写入服务器。只有当会话成功启动时,PHP 才会写入有关当前会话的 Session 文件并将其存储到 tmp 文件夹中。一旦文件变旧,该文件就会被删除。
What is probably done here is that this client has changed the PHPSESSID cookie's content. Normally the SessionID is something like "62bf75fb02922cf9c83fb3521255b4ab" (hexadecimal)
However, the user might have modified the cookie using some tools. This causes no harm to your website and server because this modification is done client side and by doing so it does not affect the server (except generating those errors). What you can do is that when you receive such error, you change the session ID and replace the one that is on the client.
See solution:
Remember, you can't replace or write a file onto the server via PHP session cookie. It is only when a session is successfully started, PHP writes a Session file about the current session and stores it to the tmp folder. Once the file becomes old, the file is deleted.
这很可能是由垃圾邮件机器人引起的。我看到许多垃圾邮件机器人以 GET 参数的形式发送会话 ID,然后尝试将其用于 SMTP 注入或发送电子邮件。我会尝试从我的日志中找到证据,但我知道至少有十几个网站发生过这种情况。当我看到它时,GET 变量看起来像:
[email protected]\n\主题:blah blah blah\n\n这里有垃圾邮件等等...This is most likely caused by spambots. I see a lot of spambots being sent a session ID as a GET parameter, which they then try to use for SMTP injection or to send email. I'll try to find proof somewhere from my logs but I know it's happened to me on at least a dozen sites. When I saw it, the GET vars looked like:
[email protected]\n\subject:blah blah blah\n\nspam email here etc...最好的猜测是某人的会话 cookie 中的会话 ID 不正确并导致了错误。
我不明白如何有人会使用无效的会话 ID 进行会话劫持。
如果您想重现该错误:
By best guess is someone has a bad session id in their session cookie and is causing the error.
I can't see how anyone would use an invalid session id for session hijacking.
If you want to reproduce the error: