我应该在每个页面上重新生成_session_id 吗? [英] Should I regenerate_session_id on every page?
问题描述
我正在尝试为我的用户身份验证会话添加更多安全性.当用户登录时,我 regenerate_session_id 但如果我在我对用户进行身份验证的每个页面上 regenerate_session_id 会帮助我,我想要你的答案.
I am trying to add more security to my user authentication sessions. When the user login I regenerate_session_id but I would like your answer on if I regenerate_session_id on every page that I authenticate the user will help me out.
在每个页面上对用户进行身份验证
<?php
session_start();
if(!isset($_SESSION['MEMBER_ID']) || (trim($_SESSION['MEMBER_ID']) == '')) {
header("location: denied.php");
exit();
}
?>
我将其更改为
session_start();
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
header("location: access-denied.php");
exit();
} else {
session_regenerate_id(); }
推荐答案
您可以使用 session_regenerate_id 来防止会话固定攻击,其中攻击者了解给定用户的会话 ID 然后劫持"该会话 ID 代替用户进行操作.
You may use session_regenerate_id to prevent session fixation attacks, in which the attacker learns the session ID of a given user then "hijacks" that session ID to act in place of the user.
但是,必须小心.一方面,您必须考虑异步请求.如果您有许多来自用户的并发请求,您需要避免这样一种情况:一个脚本正在使用会话数据,而另一个脚本试图重新生成 - 一个脚本正在使用另一个试图销毁的数据.
However, care must be taken. For one, you have to consider asynchronous requests. If you have many concurrent requests coming from a user, you'll want to avoid a situation where one script is using session data when another tries to regenerate - one script is using data that the other is trying to destroy.
此外,这确实增加了开销.重新生成每个请求可能是一种矫枉过正.相反,尝试保留一个请求计数器;每 10 个请求(左右,任意选择),重新生成 ID.
Also, this does add overhead. Regenerating every request is probably an overkill. Instead, try keeping a request counter; every 10 requests (or so, arbitrary selection), regenerate the ID.
确保将参数作为 true 传递 - 您不希望或不需要旧的会话数据(请记住,仍然是并发请求).有关详细信息,请参阅(文档).
Be sure to pass the argument as true - you don't want or need the old session data sitting around (keeping in mind, still, concurrent requests). See the (docs) for more information.
综上所述 - 这种机制是一种微增强",会给您带来比实际安全性更多的虚假安全感.会话固定攻击并不常见,特别是如果您已经采取其他措施来增强安全性.没有什么可以替代的,例如使用 HTTPS 进行安全连接;没有什么可以取代密码复杂性要求.
All that said - this mechanism is a sort of "micro-enhancement" that will give you more false sense of security than actual security. Session-fixation attacks are not very common, especially if you're already taking other measures to bolster security. Nothing can replace, for example, using HTTPS for secure connection; nothing can replace password complexity requirements.
这篇关于我应该在每个页面上重新生成_session_id 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
