PHP 会话固定示例和修复 [英] Php session fixation example and fixes
问题描述
我的问题是关于会话固定的总结:
My question is about this summary on session fixation:
Alice 在银行有一个帐户 http://unsafe.com/.不幸的是,爱丽丝不是很了解安全.
Alice has an account at the bank http://unsafe.com/. Unfortunately, Alice is not very security savvy.
马洛里要去银行取爱丽丝的钱.
Mallory is out to get Alice's money from the bank.
Alice 对 Mallory 有相当程度的信任,并将访问Mallory 发给她的链接.
Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.
- Mallory 已确定 http://unsafe.com/ 接受任何会话标识符,接受来自查询字符串的会话标识符并具有没有安全验证.http://unsafe.com/ 因此不安全.
- 马洛里给爱丽丝发了一封电子邮件:嘿,看看这个,有一个很酷的新我们的帐户摘要功能银行,http://unsafe.com/?SID=I_WILL_KNOW_THE_SID".马洛里正试图将 SID 固定为 I_WILL_KNOW_THE_SID.
- 爱丽丝很感兴趣并且访问 http://unsafe.com/?SID=I_WILL_KNOW_THE_SID.常规登录屏幕弹出,爱丽丝登录.
- Mallory 访问了 http://unsafe.com/?SID=I_WILL_KNOW_THE_SID,现在可以无限制访问到爱丽丝的账户.(信用:RichieHindle)
- Mallory has determined that http://unsafe.com/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe.com/ is thus not secure.
- Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank,http://unsafe.com/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
- Alice is interested and visits http://unsafe.com/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
- Mallory visits http://unsafe.com/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account. (credit: RichieHindle)
问题:
Q1 - 有没有办法明确阻止网站接受任何会话标识符?
Q1 - Is there a way to explicitly prevent the site from accepting any session identifier?
Q2 - 我没有在我的网站上使用 $_GET 变量,所以有没有办法阻止接受来自查询字符串的会话标识符?
Q2 - I don't use the $_GET variable on my site so is there a way to prevent accepting session identifiers from query strings?
- 注意:我使用带有 SSL 的 php 5.4.3 并且还将使用 session_regenerate_id..
推荐答案
您可以设置 martinstoeckli 在他的回答中提到的选项,但这不会阻止会话固定.它使会话固定更难以攻击,但并不能阻止它.
You could set the options martinstoeckli mentioned in his answer, but this won't prevent session fixation. It makes session fixation a little harder to attack, but it doesn't prevent it.
正如 ServerBloke 所提到的,您可以通过在验证用户的登录信息之后和显示需要身份验证的第一页之前立即使用 session_regenerate_id() 来防止会话固定.
As ServerBloke mentioned, you prevent session fixation by using session_regenerate_id() immediately after verifying the user's login information and before you show the first page that requires authentication.
让攻击者更难利用会话固定并不能阻止会话固定.您必须生成一个新的会话 ID.
Making it harder for the attacker to exploit session fixation does not prevent session fixation. You must generate a new session ID.
人们越来越多地使用公共的、不安全的、不受信任的 Wi-Fi 热点.会话可以从空气中嗅出.在物理网络上,它们可以从网络上嗅探出来.他们还可以通过采用中间人攻击来强制您访问任何 URL.因此,会话固定仍然是一个问题,即使攻击者无法向您发送 URL.
More and more, people are using public unsecured untrusted wi-fi hot spots. Sessions can be sniffed from the air. On a physical network, they can be sniffed off the wire. They can also force you to visit any URL by employing a man-in-the-middle attack. So, session fixation is still a problem, even if the attacker can't send you URLs.
知道可以嗅探会话(和密码)后,还需要采取另一个步骤来防止会话劫持.那就是 HTTPS (TLS/SSL).
Knowing that sessions (and passwords) can be sniffed, there is another step that is required to prevent session hijacking. That is HTTPS (TLS/SSL).
所有需要身份验证的受保护页面只能通过 HTTPS 访问.因此,登录页面(用户发送用户名和密码的页面)应该通过 HTTPs 访问.在同一个脚本中,您必须重新生成一个新的 sessionID.然后必须通过 HTTP 访问会话剩余部分的所有页面以保护新会话 ID.
All protected pages that require authentication should be accessed only over HTTPS. So, the login page (the one where the user sends their username and password) should be accessed via HTTPs. In that same script, you must regenerate a new sessionID. All pages for the remainder of the session must then be accessed via HTTPs to protect the new session ID.
这是一个伪代码 login.php 脚本示例:
Here's an example pseudocode login.php script:
// Force SSL
if($_SERVER["HTTPS"] != "on") {
die('Must login via HTTPS');
}
// Load the current sessionID
session_start();
// Validate the login information, being sure to escape the input
...
if (! $valid) {
die('Invalid login');
}
// Start the new session ID to prevent session fixation
session_regenerate_id();
// Clear the old session
$_SESSION=array();
// Log them in
$_SESSION['user_id'] = $userID;
这篇关于PHP 会话固定示例和修复的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
