PHP会话欺骗/劫持
[英]PHP session spoofing/hijacking
问题描述
When someone logs in to my site, they obviously fill out a form with username and password. 
当有人登录到我的网站时,他们显然在填写带有用户名和密码的表格。 The form then checks if that exists in the database (the encrypted version of that password of course), and then starts a session with that person's user ID as the session ID. 然后,该表单检查数据库中是否存在该密码(当然是该密码的加密版本),然后使用该人的用户ID作为会话ID来启动会话。
Is this prone to any kind of spoofing/hijacking/hacking? 这容易发生任何形式的欺骗/劫持/黑客入侵吗? Is there a safer way to do sessions so that no one can "log into someone elses account" by mistake? 是否有一种更安全的方式进行会话,以使任何人都不会错误地“登录他人的帐户”?
session_regenerate_id();
$_SESSION['SESS_MEMBER_ID'] = $uid;
$_SESSION['SESS_NAME'] = $email;
session_write_close();
1 个解决方案
解决方案1
1 2014-05-12 04:38:29
Your best option is to check the IP address of the user or their user-agent. 最好的选择是检查用户或其用户代理的IP地址。
Of course they will have to re-authenticate if their IP address changes. 当然,如果IP地址发生更改,他们将必须重新进行身份验证。 For example if a user on a smartphone leaves their WiFi range and start using their cellular network. 例如,如果智能手机上的用户离开其WiFi范围并开始使用其蜂窝网络。 I think the security pay off for the minor inconvenience of likely a small percentage of users is worth it. 我认为,为一小部分用户带来的不便带来的安全回报是值得的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.