会话管理和安全
这是我当前的会话管理:
if(!isset($_SESSION["user"]["authenticated"]) ||
!$_SESSION["user"]["authenticated"])
redirect("login.php");
if($_SESSION["user"]["browserHash"] != md5($_SERVER["HTTP_USER_AGENT"]))
redirect("logout.php?err=browser_mismatch");
if($_SESSION["user"]["IPHash"] != md5($_SERVER["REMOTE_ADDR"]))
redirect("logout.php?err=ip_mismatch");
if(!isset($_SESSION["user"]["nonce"]) ||
$_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
$nonce = md5(mt_rand() . time() . $_SERVER["REMOTE_ADDR"]);
$_SESSION["user"]["nonce"] = $nonce;
setcookie("SITE_nonce", $nonce, (60 * 15), "/path");
}
else
redirect("logout.php?err=nonce_mismatch");
我知道更改 IP 问题并计划仅使用 IP 地址的前 3 部分。但我担心的是攻击者能够嗅探标头等。那我就不受保护了吧?如果我是受害者网络中的攻击者,我只需在嗅探一个响应标头后发出一个快速 GET 请求,即可获得重新生成的随机数。真的有办法阻止这种情况吗?
如果不是太多的话,我也希望能够深入了解我的方法。如何规避这一点?我错过了什么大事吗?
This is my current session management:
if(!isset($_SESSION["user"]["authenticated"]) ||
!$_SESSION["user"]["authenticated"])
redirect("login.php");
if($_SESSION["user"]["browserHash"] != md5($_SERVER["HTTP_USER_AGENT"]))
redirect("logout.php?err=browser_mismatch");
if($_SESSION["user"]["IPHash"] != md5($_SERVER["REMOTE_ADDR"]))
redirect("logout.php?err=ip_mismatch");
if(!isset($_SESSION["user"]["nonce"]) ||
$_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
$nonce = md5(mt_rand() . time() . $_SERVER["REMOTE_ADDR"]);
$_SESSION["user"]["nonce"] = $nonce;
setcookie("SITE_nonce", $nonce, (60 * 15), "/path");
}
else
redirect("logout.php?err=nonce_mismatch");
I am aware of changing IP issues an plan on using only the first 3 parts of the IP address. But what I am concerned about is the attacker is able to sniff headers and such. Then I won't be protected right? If I were an attacker within the victims network, I would simply make a quick GET request after I sniff one response header and I will get the regenerated nonce. Is there really a way to prevent this?
If it wouldn't be too much, I was also hoping on getting an insight on my approach. How can this be circumvented? Am I missing something big?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果用户在您在服务器端更新随机数之后但在用户收到新 cookie 之前发出新请求,则重新创建随机数的方法将会失败。
例如,如果用户在页面加载失败后按下 F5,或者在新窗口/选项卡中打开大量链接,就会发生这种情况。
放弃检查 IP 的想法。 IP 地址可能因多种原因而完全改变。例如,考虑负载平衡代理或移动用户切换漫游区域。
可以检测到用户代理更改,并且您可以要求他们提供密码,但是让他们重新登录(并重新启动他们正在做的事情)对用户来说不是很友好。
总而言之,您正在尝试使用基于 cookie 值的会话来保护您的系统免遭会话窃取。为此,您需要 SSL,所有其他选项在安全性方面几乎没有作用。基于 cookie 的会话令牌是当前接受的用于管理会话的方法,并且被认为足够安全。
此外,CSRF 攻击比会话劫持攻击更危险,并且您不能用您的建议来阻止这些攻击。所以我的建议是:首先关注该领域。
Your approach with recreating the nonce will fail if the user makes a new request after you, on the serverside, updated the nonce, but before the user receives the new cookie.
this happens for example if the user hit's F5 after a failed page load or if they open a lot of links in new windows/tabs.
Drop the idea for the IP-check. The IP address can change completely for many reasons. Think about load balancing proxies or mobile users switching roaming area for example.
A user-agent change could be detected and you could ask for a their password, but having them relogin (and restart what they where doing) is not very user friendly.
All in all, you are trying to protect your system from session stealing, with a session based on a cookie value. You need SSL for this, all other options will do little in terms of security. A cookie based session token is the currently accepted method for managing sessions, and deemed safe enough.
Also, CSRF attack are way more dangerous than session hijack attacks, and you do not stop those with what you propose. So my advice would be: focus on that area first.
为了防止嗅探标头,您需要通过 SSL/TLS 保护连接。
To prevent sniffing of headers, you need to secure the connection over SSL/TLS.