会话劫持和 PHP
让我们只考虑服务器对用户的信任。
会话固定:为了避免固定,我仅在身份验证 (login.php) 中使用 session_regenerate_id()
会话侧劫持:整个站点的 SSL 加密。
我安全吗?
Lets just consider the trust that the server have with the user.
Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)
Session sidejacking: SSL encryption for the entire site.
Am I safe ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
请阅读 OWASP A3-损坏的身份验证和会话管理。另请阅读有关 OWASP A5-CSRF 的信息,有时称为“会话”骑术”。
您应该在 php 头文件中使用此代码:
此代码可防止会话固定。它还有助于防止 XSS 访问
document.cookie,这是 的一种方式可能会发生会话劫持。强制仅使用 HTTPS cookie 是解决 OWASP A9-传输层保护不足。这种使用 HTTPS 的方式有时被称为“安全 cookie”,这是一个可怕的名字。另外,STS 是一项非常酷的安全功能,但是并非所有浏览器都支持它(目前)。Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".
You should use this code in a php header file:
This code prevents session fixation. It also helps protect against xss from access
document.cookiewhich is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).我还建议将用户代理和 IP 信息存储在会话中,并在每个请求时验证它。它不是防弹的,但它在鲁棒性方面有相当显着的提高。虽然 UA 锻造确实很容易,但 IP 锻造虽然可能,但要困难得多...但是,对于循环 IP 系统背后的用户(例如 AOL 用户),您可能会遇到问题...
I would also suggest storing the user agent and ip information in the session, and verifying it on each request. It's not bullet-proof, but it is a fairly significant increase in robustness. While UA forging is really easy, IP forging, while possible, is MUCH harder... But you may have issues with users who are behind a round-robin IP system such as AOL users...
我发现的最佳实践是将会话数据保存到数据库或文本文件中。
数据库将有用户代理和IP记录并检查每个请求以确保会话不会被其他人劫持。
例如,会话如何保存在数据库中,您可以在 codeigntier 会话库中查看实现。在我看来,这种方式相当节省,可以防止有人劫持会话。
the best practice i have ever found is save the session data to database or a text file.
the database will have user agent, and IP record and check it every request for ensure that the session never been hijacked by other.
for example how session saved at database you can see the implementation at codeigntier session library. in my opinion this way fairly save to prevent someone to hijact session.