堆栈内存溢出
  简体   繁体   English

会话劫持和PHP

[英]Session hijacking and PHP

 原文  2010-08-18 22:45:59       php/ security/ session/ session-hijacking

问题描述

Lets just consider the trust that the server have with the user. 让我们考虑一下服务器对用户的信任。

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php) 会话固定:为避免固定,我只在身份验证中使用session_regenerate_id() (login.php)

Session sidejacking: SSL encryption for the entire site. 会话sidejacking:整个站点的SSL加密。

Am I safe ? 我安全吗?

3 个解决方案

解决方案1
 28 已采纳  2010-08-18 23:42:54

Read OWASP A3-Broken Authentication and Session Management . 阅读OWASP A3-Broken认证和会话管理 Also read about OWASP A5-CSRF , which is sometimes called "session riding". 另请阅读有关OWASP A5-CSRF的信息 ,有时也称为“会话骑行”。

You should use this code in a php header file: 您应该在php头文件中使用此代码: 

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

This code prevents session fixation . 此代码可防止会话固定 It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. 它还有助于防止xss访问document.cookie ,这是会话劫持可能发生的一种方式。 Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection . 仅强制使用HTTPS是解决OWASP A9-传输层保护不足的好方法。 This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. 这种使用HTTPS的方式有时被称为“安全cookie”,这是一个可怕的名称。 Also STS is a very cool security feature, but not all browsers support it (yet). 此外, STS是一个非常酷的安全功能,但并非所有浏览器都支持它(尚未)。

解决方案2
 2  2010-08-19 00:01:13

I would also suggest storing the user agent and ip information in the session, and verifying it on each request. 我还建议在会话中存储用户代理和IP信息,并在每个请求上验证它。 It's not bullet-proof, but it is a fairly significant increase in robustness. 它不是防弹的,但它在稳健性方面是一个相当显着的增长。 While UA forging is really easy, IP forging, while possible, is MUCH harder... But you may have issues with users who are behind a round-robin IP system such as AOL users... 虽然UA锻造非常简单,但IP锻造虽然可能,但更难......但是你可能会遇到一个循环IP系统背后用户的问题,比如AOL用户......

解决方案3
 0  2010-08-19 03:09:16

the best practice i have ever found is save the session data to database or a text file. 我发现的最佳实践是将会话数据保存到数据库或文本文件中。 the database will have user agent, and IP record and check it every request for ensure that the session never been hijacked by other. 数据库将拥有用户代理和IP记录并检查每个请求,以确保会话从未被其他人劫持。

for example how session saved at database you can see the implementation at codeigntier session library. 例如,如何在数据库中保存会话,您可以在codeigntier会话库中看到实现。 in my opinion this way fairly save to prevent someone to hijact session. 在我看来这种方式相当保存,以防止某人hijact会话。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP会话欺骗/劫持 - PHP session spoofing/hijacking 防止PHP中的会话劫持 - Prevent session hijacking in PHP PHP 会话固定/劫持 - PHP Session Fixation / Hijacking PHP会话劫持 - PHP Session Hijacking 检测到PHP会话劫持 - PHP Session Hijacking Detected PHP中适当的会话劫持预防 - Proper session hijacking prevention in PHP 保护php中的会话劫持的有效方法 - Effective way to protect session hijacking in php 防止在PHP中进行会话劫持,XSS和网络窃听? - Prevent session hijacking, XSS and network eavesdropping in PHP? PHP:使用存储为cookie的令牌防止会话劫持? - PHP: Preventing Session Hijacking with token stored as a cookie? php会话劫持 - 足够的HTTPS?指纹识别的建议? - php session hijacking - is HTTPS enough? Suggestions for fingerprinting?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM