PHP ::: 安全 SESSION_ID ::: 没有 CSRF?
使用这个:
function nonce($str,$expires){
return sha1(date('Y-m-d H:i',ceil(time()/$expires)*$expires).$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'].$salt.$str);
}
假设我在登录后初始化我的session_id,同时生成指纹,如下所示:
session_regenerate_id();
$_SESSION['thumbprint']=nonce(session_id().'thumbprint',86400);
并调用这些:
function valid_session(){
return ($_SESSION['thumbprint']==nonce(session_id().'thumbprint',86400));
}
function logged_in(){
return (valid_session()&&isset($_SESSION['user']['id'])&&isset($_SESSION['user']['typeid'])&&isset($_SESSION['user']['email']));
}
在每个页面的顶部:
if(logged_in==false){//logout & redirect back to index}
在这样的审查下使用指纹,我什至需要为每个函数调用制作令牌或者这种实现足以防止 CSRF 吗?
::: 86400 是 24 小时,我意识到这是一个很长的时间。对于真正的唯一 ID 来说,这是否太长了?
::: 当我说安全函数时,我的意思是可以通过使用相同的随机数或令牌来保护函数。
Using this:
function nonce($str,$expires){
return sha1(date('Y-m-d H:i',ceil(time()/$expires)*$expires).$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'].$salt.$str);
}
Let's say I initialize my session_id after I log in, also generating a thumbprint, like this:
session_regenerate_id();
$_SESSION['thumbprint']=nonce(session_id().'thumbprint',86400);
And call these:
function valid_session(){
return ($_SESSION['thumbprint']==nonce(session_id().'thumbprint',86400));
}
function logged_in(){
return (valid_session()&&isset($_SESSION['user']['id'])&&isset($_SESSION['user']['typeid'])&&isset($_SESSION['user']['email']));
}
At the top of every page:
if(logged_in==false){//logout & redirect back to index}
With a thumbprint under such scrutiny do I even need to make tokens for each function call or is this implimentation sufficient to protect against CSRF?
::: 86400 is 24 hours which I realize is a long time. Is that too long to realy on a unique ID for?
::: When I say secure functions I mean functions could be secured by using the same nonce or a token.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
只需使用一次性令牌进行表单提交。
uniqid()足以满足此目的。生成令牌时,将其存储在会话中,并将其包含在表单中。然后在表单 POST 处理脚本上进行检查以确保发布的值是会话中的值。您通过使用诸如 $_SERVER['REMOTE_ADDR'] 之类的东西生成指纹所做的一切,从根本上破坏了使用网关的人的应用程序(AOL 是典型的例子)。
Just use one-time tokens for form submissions.
uniqid()is sufficient for this. Store the token in the session when you generate it, and include it in your form. Then on your form POST processing script, check to make sure the value posted is the value in the session.All you're doing by generating thumbprints using stuff like
$_SERVER['REMOTE_ADDR']and such, is fundamentally breaking your application for people who use gateways (AOL is the canonical example).您可以尝试Simon Willison编写的CSRF保护类 http://simonwillison.net/static/ 2008/csrf_protect.php.txt
别忘了查看他的博客:http://simonwillison.net:8003/!结婚了!
您也可以尝试:www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
以及“如何测试 CSRF 漏洞”部分。
玩得开心
You can try the CSRF protect class written by Simon Willison http://simonwillison.net/static/2008/csrf_protect.php.txt
Don't forget to check his blog : http://simonwillison.net:8003/ ! Got married !
Also you may try: www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
and the "How to Test for CSRF Vulnerabilities" section.
Have fun