PHP会话+带盐的Useragent [英] PHP Sessions + Useragent with salt
问题描述
最近几天它一直在我的脑海中奔跑,但是我读了一些有关如何使您的PHP会话更安全的文章.几乎所有这些文章都说,您需要在会话中保存useragent并附带其他盐.像这样:
It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something like this:
$fingerprint = md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']);
盐分会使攻击者更难劫持或进行其他会话.但是,为什么每次您要像这样检查时都加盐:
The salt would make it harder for an attacker to hijack or whatever the session. But WHY add a salt every time you would check it like this:
md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']) == $_SESSION [ 'fingerprint' ]
为什么盐会使其更安全,因为攻击者仍然只需要useragent(相对来说是一小部分不同的useragent)和sessionid?
So WHY would a salt make it more secure, since the attacker still only needs the useragent (which is relativly a small set of different useragents) and the sessionid?
可能我忽略了一些小东西,但无法弄清楚,这让我发疯了哈哈
Probably something small I'm overlooking, but can't figure it out, drives me crazy haha
谢谢!
推荐答案
建议添加盐的原因很简单.通常,当您创建此指纹"时-如果您仅使用数据量有限的一项数据,那么外部黑客就可以更轻松地生成此数据并劫持会话.
The reason that it's suggested to add a salt is simple. Generally, when you're creating this "fingerprint" - if you're using only one item of data, which has a limited dataset, then it makes it easier for an outside hacker to generate this, and hijack the session.
在上面的示例中,是的,如果攻击者同时拥有指纹"和用户代理,则他们将能够劫持会话.
In your example above, yes, if the attacker has both the "fingerprint" and the User agent, then they will be able to hijack the session.
添加盐只会使攻击者更难生成指纹,这是如果他们只有一条信息,那么最后一条信息就变得无用了."
Adding a salt only makes it harder for an attacker to generate the fingerprint, it's a case of "if they have all but one piece of information, then the last piece of information is rendered useless)
我建议您在vBulletin(我曾经处理过的一个项目)中添加更多内容,例如,使用以下代码生成会话ID哈希(与指纹基本相同).
I'd suggest that you add some more things in, for example, within vBulletin (a project I used to work on) the session ID hash (which is basically the same as the fingerprint) is generated with the following code.
define('SESSION_IDHASH', md5($_SERVER['HTTP_USER_AGENT'] . $this->fetch_substr_ip($registry->alt_ip))); // this should *never* change during a session
此外,会话哈希是使用
md5(uniqid(microtime(), true));
在尝试识别会话时都会对它们都进行检查
These are both checked when trying to identify the session
因此,要劫持会话,该人员需要了解以下内容
So, to hijack the session, the person would need to know the following
- 会话创建时在服务器上的时间(完全)
- 用户浏览器代理字符串
- 用户的IP地址
他们还必须欺骗IP地址(或至少是前2/3个八位位组)才能做到这一点.
They would also have to spoof the IP address (or at least the first 2/3 octets) to be able to do this.
如果实际上他们已经设法获得了上述信息,那么他们很可能能够以其他方式进行攻击,而不仅仅是会话劫持.
If they're actually at a point where they've managed to get the above information, then they're probably likely to be able to attack in other ways than just session hijacking.
vBulletin本身实际上并没有使用盐",但是,在您上面的示例中,盐仅添加了有限的熵,始终最好找到尽可能多的熵.
vBulletin don't actually use a "salt" per se, but, in your above example, the salt is just adding a limited amount of entropy, it's always best to find as much entropy as possible.
例如,在我当前正在用python编写的内容中,我生成了一个用于XSRF保护的哈希值.以下是我用的.
For example, in something I'm currently writing in python, I generate a hash for usage with XSRF protection. The following is what I use.
self.key = sha1(
self.user.username +
self.user.password +
settings.SECRET_KEY +
strftime("%a, %d %b %Y %H:%M:%S +0000", gmtime())
).hexdigest()
使用该用户名和密码,当前时间以及预设的盐来生成该密码.对于攻击者来说,由于盐分和时间的原因,将很难生成(不过,请务必注意,只有在使用后它随时间而改变的事实,它才能确保安全,而对于某人来说,花费的时间并不多如果特定用户没有更改,请破解它
Which takes the user's username and password, the current time, and a preset salt to generate this. This would be hard for an attacker to generate due to the salt, and the time (though, do note that this is only made secure by the fact that it changes once it's used, with time, it wouldn't take much for someone to crack this for a particular user if it wasnt changing)
这篇关于PHP会话+带盐的Useragent的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
