信任X转发 - 为了“识别”一个访客 [英] Trusting X-Forwarded-For to "identify" a visitor

问题描述

会话劫持

所以我有一个小问题。我试图找出一个访问者，如果不是这个问题中提到的$ _SERVER可读性非常困难，那么：防止会话劫持。

可能的解决方案

比从客户端A复制cookie到客户端B（这是令人伤心的儿童游戏）更困难，我想收集一些信息并根据我存储的内容进行验证。在我的数据库中，我想存储用户代理，IP地址，操作系统等。我将使用MCRYPT进行加密并存储。要与用户进行匹配，必须设置很多变量，这使得它比复制cookie内容以进行登录要困难得多。

问题

以下是我的问题开始时间... User-代理和操作系统几乎不完全相同。原因是它是胖客户端具有相同的可启动镜像。另一个问题是IP。 Datacenter中的服务器连接到办公室。对于我们的应用程序（甚至不可外部访问），IP地址对于每个客户端都是相同的。我发现我可以尝试使用X-Forwarded-For头来区分IP地址，从而使用户更加独特。

下一步是什么？

我想知道以下内容：如何确保X-Forwarded-For总是设置为无需任何客户端可使用？是否需要通过路由添加某些内容？我们的连接是https，所以我怀疑我只能注入一些东西。接下来，如果我可以注入类似的东西，用户客户端可以这样做吗？

客户端位于我们的内部办公网络和应用程序运行在php中）不能从外部访问

解决方案

X-Forwarded-对于和 User-Agent HTTP标头可能很容易被任何用户欺骗（就像将cookie从一台机器复制到另一台机器一样容易） / p>

Chrome扩展程序，例如 Header Hacker 可以在客户端上使用，并且由于您的站点使用的是HTTPS，因此这些报头不能在路由中添加（因为报头需要添加到OSI应用层，而不是传输层） 。

如果您担心用户在彼此之间复制cookie，是否有任何机制阻止他们共享用户名和密码c redentials？如果你确实设法实现了验证他们的会话仍然在同一台客户端机器上的东西，他们难道不能通过彼此登录来实现它吗？

Aside从我的问题来看，为了解决方案，您可以将本地代理引入您的内部网络，纯粹是为了连接到您的数据中心的站点。该站点应拒绝来自代理服务器IP的任何连接（将Web服务器或防火墙配置为仅接受代理的客户端IP以进行Web连接）。使用这种方法，您需要将SSL证书安装到每个客户机可以信任的代理上。这将使代理服务器能够解密流量，添加适当的IP地址头（由客户端覆盖任何设置），然后将其转发到您的服务器上。服务器代码然后可以安全地检查 X-Forwarded-For 标头，以确保它在每个用户会话中保持不变。

<如果这听起来像是一个很好的解决方案，请评论如果您有任何问题，我会更新我的答案。

另外两个想法：

• 您可以使用某些方法为 panopticlick 。但是，由于这是从客户端检索各种值并创建指纹，因此如果标头与其他用户的标头设置相同，则它们都可能被伪造。此外，由于每台计算机都来自相同的可引导映像，因此无论如何这可能都是相同的。


• 滚动会话cookie：您可以使用 session_regenerate_id（） 。这将更新创建请求的客户端的会话ID，并且使用相同ID的任何其他客户端将被注销，因为它们正在发送旧的会话ID。实际上，您可以在每个请求上执行此操作，以确保只有当前客户端正在使用当前会话。

Session Hijacking

So I have a slight problem. I'm trying to identify a visitor, which is very hard if not impossible by $_SERVER veriables as mentioned in this question: Preventing session hijacking.

Possible Solution

To make a bit harder than just copying the cookie from Client A to Client B (which is sadly childsplay), I want to collect some info and validate this against something I have stored. In my database I want to store things like User-Agent, IP-Address, OS etc. This I will encrypt using MCRYPT and store. To match against a user, a lot of variables have to be set, this makes it somewhat harder than just copying the cookie contents to login.

The problem

Here's when my problem starts... The User-Agent and OS are nearly if not completely identical. The reason is that it are Fat Clients with the same bootable image. Another problem is the IP. The server in the Datacenter has a connection to the office. For our applications (even tho not externally accessible) the IP-Address is the same for every client. I found out that I could try to use the X-Forwarded-For header to distinguish IP addresses and thus make the user a bit more unique.

What's next?

What I would like to know is the following: How can I make sure the X-Forwarded-For is ALWAYS set without having to anything the clients have access to? Does something have to be added there by routing? Our connection is https, so I doubt I can just "inject" something. Next to that, if I can inject something like this, can the users client side do this?

The clients are in our internal office network and the applications (running in php) are not accessible from the outside

解决方案

The X-Forwarded-For and User-Agent HTTP headers can easily be spoofed by any user (just as easily as copying a cookie from one machine to another).

Chrome extensions such as Header Hacker can be used on the client, and since your site is using HTTPS these headers cannot be added en route (as the headers need to added to the OSI application layer, not the transport layer).

If you're worried about users copying cookies between one another, is there any mechanism that would stop them sharing their username and password credentials? If you did manage to implement something that verified that their sessions remained on the same client machine, couldn't they simply work round it by logging in as each other?

Aside from my questions, for a solution you could introduce a local proxy into your internal network, purely for connecting to your site at the data centre. The site should reject any connections that are not from the IP of the proxy server (configure the web server or firewall to only accept the client IP of the proxy for web connections). Using this approach you will need to install an SSL certificate onto the proxy, which each client machine can trust. This will enable the proxy server to decrypt traffic, add the appropriate IP address header (overwriting any set by the client) and then forward it onto your server. The server code can then safely check the X-Forwarded-For header to make sure it remains constant per user session.

If this sounds like a good solution, please comment if you have any questions and I'll update my answer.

Two other thoughts:

• You could use something to fingerprint the browser like panopticlick. However, as this is retrieving various values from the client and creating a fingerprint, it can all be spoofed if the headers are set the same as another user's. Also, as each machine is from the same bootable image, this might well be the same anyway.
• Rolling session cookies: You could randomly regenerate the session using session_regenerate_id(). This will update the session ID of the client creating the request, and any other client using the same ID will then be logged out because they are sending the old session ID. Actually, you could do this on every request which will ensure that only the current client is using the current session.

这篇关于信任X转发 - 为了“识别”一个访客的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！