会话欺骗(PHP) [英] Session spoofing (PHP)

问题描述

我正在用PHP编写一个包含布尔值$_SESSION['logged_in']的网站.数据库中存在用户名和密码匹配时，将其设置为true.

I am coding a website in PHP that contains the boolean $_SESSION['logged_in']. This is set to true when a username and password match are present in the database.

我对会话还很陌生，只是想知道未注册(或就此而言，已注册)用户是否可以通过将此布尔值设置为true来绕过登录过程，就像使用Cookie.

I am quite new to sessions and was just wondering if it could be possible for an unregistered (or, for that matter, registered) user to bypass the login process by setting this boolean to true, as would be possible with a cookie.

我了解到用户必须从客户端操作服务器端变量，但是我的问题是，这样做有多容易，用户将如何完成这样的任务，是否有已知漏洞，以及避免此类攻击的最佳实践/预防措施是什么?

I understand that the user would have to manipulate a server-side variable from the client-side, but my questions are how easy would this be, how would the user go about accomplishing such a task, are there any known exploits, and what are the best practices / preventative measures to avoid this sort of attack?

推荐答案

让我们从好消息开始:默认情况下，$_SESSION数组对于客户端完全不可见和不可操作:它存在于服务器和服务器上只是在执行环境中，它对客户端不开放.

Let's start with the good news: The $_SESSION array is by default completly invisible and inmanipulable by the client: It exists on the server, and on the server only, in an execution environment, that is not open to the client.

现在回到现实:很容易，使您的PHP代码近乎正确"，从而为服务器看到的客户端和会话之间打开了一扇门.除此之外，窃取客户端会话(包括cookie)非常容易.

Now back to earth: It is quite easy, to get your PHP code "nearly right" and thus open a door between the client and the session as seen by the server. In addition to this, stealing a client session (including a cookie) is quite easy.

我建议采取一些缓解措施，这些措施已被证明非常有效:

I recommend a few mitigations, that have been proven quite effective:

• 不要存储已登录"值-而是存储会话cookie"值，然后将cookie设置为客户端.根据客户要求，按照$loggedin=($_SESSION['cookie']==$_COOKIE['session'])的方式进行操作.这使得攻击者同时需要Cookie和会话ID.
• 经常刷新会话cookie，如果使用错误的cookie，则终止会话.如果黑帽窃取了cookie和会话，那么真实用户的下一次点击将同时注销这两个事件并创建一个可记录事件.
• 如果您的请求来自JS，请考虑创建一个简单的身份验证功能:与其发送身份验证令牌，不给它添加盐，用时间戳添加胡椒粉，然后对其进行哈希处理.发送盐，时间戳和哈希.让服务器检查时间戳.

• Do not store a "logged in" value - instead store a "session cookie" value, and set the cookie to the client. On a client request make something along the lines of $loggedin=($_SESSION['cookie']==$_COOKIE['session']). This makes the attacker need both: cookie and session ID.
• Refresh the session cookie quite often, on a wrong cookie kill the session. If a black hat steals cookie and session, the next click by the real user will log out both and create a logable event.
• If your requests come from JS, think of creating a simple authentication function: Instead of sending the authentication token, salt it, pepper it with a timestamp, then hash it. Send salt, timestamp and hash. Make the server check the timestamp.

这篇关于会话欺骗(PHP)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！