简体繁体 English

会话劫持在 PHP 中究竟是如何工作的？

[英]How exactly does session hijacking work in PHP?

原文 2012-08-05 20:27:37 2 3 php/ security/ session/ cookies

I've made a website which has registration/login.我做了一个有注册/登录的网站。 I can see the PHPSESSID cookie in Chrome's Developer Tools, so I'm wondering how can I use this session id value to hijack into the account I'm logged, from let's say a different browser, for simplicity's sake?我可以在 Chrome 的开发人员工具中看到 PHPSESSID cookie，所以我想知道如何使用这个会话 ID 值劫持我登录的帐户，为了简单起见，让我们说一个不同的浏览器？

Should a secure website be able to determine that this session is being hijacked and prevent it?一个安全的网站是否应该能够确定这个会话被劫持并阻止它？

Also, how come other big sites that use PHP (eg Facebook) do not have PHPSESSID cookies?另外，为什么其他使用 PHP 的大网站（例如 Facebook）没有 PHPSESSID cookie？ Do they give it a different name for obscurity, or do they just use a different mechanism altogether?他们是给它一个不同的名字来表示晦涩难懂，还是他们只是使用完全不同的机制？

3 个解决方案

Lots of good questions, and good on you for asking them.很多好问题，感谢你提出这些问题。

First.. a session is just a cookie.首先.. 会话只是一个cookie。 A 'session' is not something that's part of the HTTP stack. “会话”不是 HTTP 堆栈的一部分。 PHP just happens to provide some conveniences that make it easy to work with cookies, thus introducing sessions. PHP 恰好提供了一些便利，使使用 cookie 变得容易，从而引入了会话。 PHP chooses PHPSESSID as a default name for the cookie, but you can choose any you want.. even in PHP you can change the session_name. PHP 选择 PHPSESSID 作为 cookie 的默认名称，但您可以选择任何您想要的名称。即使在 PHP 中，您也可以更改 session_name。

Everything an attacker has to do is grab that session cookie you're looking at, and use it in its own browser.攻击者所要做的就是获取您正在查看的会话 cookie，并在其自己的浏览器中使用它。 The attacker can do this with automated scripts or for instance using firebug, you can just change the current cookie values.攻击者可以使用自动脚本或例如使用萤火虫来做到这一点，您可以只更改当前的 cookie 值。

So yes, if I have your id.. I can steal your session if you didn't do anything to prevent it.所以是的，如果我有你的 id.. 如果你不采取任何措施来阻止它，我可以窃取你的会话。

However.. the hardest part for an attacker is to obtain the cookie in the first place.然而……对于攻击者来说最困难的部分是首先获得cookie。 The attacker can't really do this, unless:攻击者不能真正做到这一点，除非：

They have access to your computer他们可以访问您的计算机
They somehow are able to snoop in on your network traffic.他们以某种方式能够窥探您的网络流量。

The first part is hard to solve.. there are some tricks you can do to identify the computer that started the session (check if the user agent changed, check if the ip address changed), but non are waterproof or not so great solutions.第一部分很难解决。您可以使用一些技巧来识别启动会话的计算机（检查用户代理是否更改，检查 ip 地址是否更改），但没有防水或不是很好的解决方案。

You can fix the second by ensuring that all your traffic is encrypted using HTTPS.您可以通过确保所有流量都使用 HTTPS 加密来解决第二个问题。 There are very little reasons to not use HTTPS.没有理由不使用 HTTPS。 If you have a 'logged in' area on your site, do use SSL!!如果您的网站上有“登录”区域，请务必使用 SSL！！

I hope this kind of answers your question.. A few other pointers I thought of right now:我希望这能回答你的问题。我现在想到的其他一些建议：

Whenever a user logs in, give them a new session id每当用户登录时，给他们一个新的会话 ID
Whenever a user logs out, also give them a new session id!每当用户注销时，也给他们一个新的会话 ID！
Make sure that under no circumstances the browser can determine the value of the session cookie.确保浏览器在任何情况下都无法确定会话 cookie 的值。 If you don't recognize the cookie, regenerate a new one!如果您不认识该 cookie，请重新生成一个新的 cookie！

If you're on the same IP and using the same browser, all you have to do is duplicating the session ID (and maybe other cookie values: not really sure if browser specific things like its agent string is tracked/compared; this is implementation dependant).如果您使用相同的 IP 并使用相同的浏览器，那么您所要做的就是复制会话 ID（可能还有其他 cookie 值：不确定是否跟踪/比较了浏览器特定的东西，比如它的代理字符串；这是实现依赖）。

In general, there are different ways to track users (in the end it's just user tracking).一般来说，有不同的方法来跟踪用户（最终它只是用户跟踪）。 For example, you could use a cookie or some hidden value inside the web page.例如，您可以在网页中使用 cookie 或某些隐藏值。 You could as well use a value in HTTP GET requests, a Flash cookie or some other method of authentication (or a combination of these).您也可以在 HTTP GET 请求、Flash cookie 或其他一些身份验证方法（或这些方法的组合）中使用一个值。

In case of Facebook they use several cookie values, so I'd just assume they use one of these values (eg 'xs').在 Facebook 的情况下，他们使用多个 cookie 值，所以我假设他们使用这些值之一（例如“xs”）。

Overall, there's no real 100% secure way to do it (eg due to man-in-the-middle attacks), but overall, I'd do the following:总的来说，没有真正 100% 安全的方法来做到这一点（例如，由于中间人攻击），但总的来说，我会做以下事情：

Upon logging in, store the user's IP address, his browser agent string and a unique token (edit due to comment above: you could as well skip he IP address; making the whole thing a bit less secure).登录后，存储用户的 IP 地址、他的浏览器代理字符串和唯一令牌（根据上面的评论进行编辑：您也可以跳过他的 IP 地址；使整个事情变得不那么安全）。
Client side store the user's unique id (eg user id) and that token (in a cookie or GET value).客户端存储用户的唯一 ID（例如用户 ID）和该令牌（在 cookie 或 GET 值中）。
As long as the data stored in first step matches, it's the same user.只要第一步存储的数据匹配，就是同一个用户。 To log out, simply delete the token from the database.要注销，只需从数据库中删除令牌即可。

Oh, and just to mention it: All these things aren't PHP specific.哦，顺便提一下：所有这些都不是特定于 PHP 的。 They can be done with any server side language (Perl, PHP, Ruby, C#, ...) or server in general.它们可以使用任何服务器端语言（Perl、PHP、Ruby、C#...）或一般的服务器来完成。

Someone sniffs the session ID cookie and sets it for a subsequent request.有人嗅探会话 ID cookie 并将其设置为后续请求。 If that's the only thing authenticated a user, they're logged in.如果这是对用户进行身份验证的唯一方式，那么他们就已经登录了。

Most sites will use authentication based on cookies in some form.大多数站点都会以某种形式使用基于 cookie 的身份验证。 There are several ways to make this more secure such as storing info about the user's browser when they log in (eg user agent, IP address).有几种方法可以使其更加安全，例如在用户登录时存储有关用户浏览器的信息（例如用户代理、IP 地址）。 If someone else naively tries to copy the cookie, it won't work.如果其他人天真地试图复制 cookie，它就不会起作用。 (Of course, there are ways around this too.) You'll also see session cookies being regenerated periodically to make sure they aren't valid for a particularly long time. （当然，也有解决此问题的方法。）您还会看到会话 cookie 会定期重新生成，以确保它们在特别长的时间内无效。

Check out Firesheep for a Firefox extension that performs session hijacking.查看Firesheep ，了解执行会话劫持的 Firefox 扩展。 I'm not suggesting you use it, but you may find the discussion on that page interesting.我不是建议您使用它，但您可能会发现该页面上的讨论很有趣。