PHP 中正确的会话劫持预防 [英] Proper session hijacking prevention in PHP
问题描述
我知道这个话题已经讨论了很多,但我还有一些具体问题没有得到解答.例如:
I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');
// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');
<小时>
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
<小时>
session_start();
// If the user is already logged
if (isset($_SESSION['uid'])) {
// If the IP or the navigator doesn't match with the one stored in the session
// there's probably a session hijacking going on
if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) {
// Then it destroys the session
session_unset();
session_destroy();
// Creates a new one
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
}
} else {
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
// Set the default values for the session
setSessionDefaults();
$_SESSION['ip'] = getIp(); // Saves the user's IP
$_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator
}
所以,我的问题是
ini_set
是否提供了足够的安全性?- 可以保存用户的IP和导航器然后检查每次加载页面时检测会话劫持?这会不会有任何问题?
session_regenerate_id()
的使用是否正确?session_id()
的使用是否正确?
- do the
ini_set
's provide enough security? - is it okay to save the user's IP and navigator and then check it every time the page is loaded to detect a session hijack? Could this be problematic in any way?
- is the use of
session_regenerate_id()
correct? - is the use of
session_id()
correct?
推荐答案
你的配置很棒.您肯定阅读了有关如何锁定 php 会话的信息.但是,这行代码否定了您的 php 配置提供的许多保护:session_id(sha1(uniqid(microtime()));
Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration:
session_id(sha1(uniqid(microtime()));
这是一种特别糟糕的生成会话 ID 的方法.根据您的配置,您正在从 /dev/urandom
生成会话 ID,这是一个很棒的熵池.这将比 uniqid() 更随机,uniqid() 已经主要是一个时间戳,向这个混合添加另一个时间戳根本没有帮助.尽快删除这行代码.
This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom
which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.
检查 IP 地址是有问题的,IP 地址因合法原因而更改,例如用户是否在负载平衡器或 TOR 后面.用户代理检查是没有意义的,就像有一个像 ?is_hacker=False
这样的 GET 变量,如果攻击者有会话 ID,他们可能有用户代理,如果他们没有,这个值是真的很容易蛮力.
Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False
, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.
这篇关于PHP 中正确的会话劫持预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!