如何使会话更安全? [英] How Do I Make Sessions More Secure?
问题描述
可能的重复:
PHP 会话安全
我在整个申请过程中都在使用会话.我想让它们更安全.目前我正在使用像 $username = $_SESSION['username']; 之类的代码.
I am using sessions all throughout my application. I want to make them much more secure. Currently I am using code like $username = $_SESSION['username']; and the like.
如何使我的会话更安全?
How do I make my sessions more secure?
推荐答案
首先要注意的是 会话劫持.引用维基百科:
The first thing you'll want to watch out for is Session Hijacking. To quote Wikipedia:
在计算机科学中,会话劫持是指利用有效的计算机会话(有时也称为会话密钥)来未经授权访问计算机系统中的信息或服务.特别地,它用于指用于向远程服务器验证用户身份的魔法 cookie 被盗.它与 Web 开发人员特别相关,因为用于在许多网站上维持会话的 HTTP cookie 很容易被攻击者使用中间计算机或访问受害者计算机上保存的 cookie 的权限窃取(参见 HTTP cookie 盗窃).
In computer science, session hijacking refers to the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
基本思想是,如果您网站的访问者 (Alice) 拥有会话 cookie 和会话 ID(假设它是 12345),那么如果恶意用户 (Mallory) 能够通过 JavaScript、流量嗅探、社会工程或其他方法了解 Alice 的会话 ID,然后 Mallory 可以浏览您的站点并将他的会话 ID 设置为 12345,他实际上成为 Alice.
The basic idea is, if a visitor to your website (Alice) has a session cookie and a session ID (let's assume it's 12345), then if a malicious user (Mallory) is able to learn Alice's session ID via either JavaScript, traffic sniffing, social engineering or other methods, then Mallory can browse to your site and set his session ID to 12345 and he effectively becomes Alice.
防止这种情况的一种方法是更改每个请求的会话 ID,您可以通过 PHP session_regenerate_id 函数.在调用 session_start()
One way to prevent this is to alter the session ID on every request, which you can do via the PHP session_regenerate_id function. You would call session_regenerate_id at the beginning of every request, after calling session_start()
请注意,这是一个非常复杂的话题.我强烈建议您阅读维基百科文章,并确保您完全理解正在发生的问题.
Please be aware that this is a very complicated topic. I'd highly recommended reading the Wikipedia article and making sure you fully understand the issues at play.
我正要为您输入更多信息,但后来我意识到您的问题确实是重复的这个 StackOverflow 问题.我建议将其作为起点阅读.
I was about to type a lot more information out for you, but then I realized that your question really is a duplicate of this StackOverflow question. I'd recommended reading that as a starting point.
这篇关于如何使会话更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
