PHP会话安全吗? [英] Is PHP session safe?
问题描述
1。例如,没有SSL,如果我捕获本地局域网数据包并且扫描了会话ID,那么是否可以劫持会话?
2.所以没有SSL的网络应用程序会话处理的任何建议?
谢谢。
howa napisa ??(a):
1.例如,没有SSL,如果我捕获我的本地LAN数据包并且
扫描了SESSION ID,是否有可能劫持会话?
不幸的是是
2.所以任何建议没有SSL的网络应用程序会话处理?
- 使用非常短的会话生命周期
- 强制用户在执行重要操作之前再次登录/>
-
Wiktor Walc
http://phpfreelancer.net
- 强制用户在做重要事情之前再次登录
我发现很多雅虎!或者Google只在身份验证期间使用SSL
,其余服务仅由普通HTTP提供...
真的对如何防止会话感兴趣劫持,特别是来自具有相同IP的
邻居主机,真的很难......
> - 使用非常短的会话有效期
> - 强制用户在执行重要操作之前再次登录
并在更改用户权限时更改会话(即,在
$ b $之后b成功登录)。 PHP的函数session_regenerate_id()适合
。
在网上搜索session hijacking和会话固定。有
a很多信息...
祝你好运,
-
Willem Bogaerts
申请史密斯
Kratz BV
http://www.kratz.nl/
1. For example, without SSL, If I capture my local LAN packet and
scanned the SESSION ID, is it possible to hijack the session?
2. So any recommendation for web apps session handling without SSL?
Thanks.
howa napisa??(a):1. For example, without SSL, If I capture my local LAN packet and
scanned the SESSION ID, is it possible to hijack the session?
unfortunately yes
2. So any recommendation for web apps session handling without SSL?
- use very short session life time
- force user to login again before doing something important
--
Wiktor Walc
http://phpfreelancer.net
- use very short session life time- force user to login again before doing something importantI found that many Yahoo! or Google only use SSL during authentication
only, the rest of the services are provided by plain HTTP only...
really interested in how to prevent session hijacking, especailly from
neighbor hosts with the SAME IP, really difficult...
> - use very short session life time> - force user to login again before doing something important
And change session whenever you change user rights (i.e., after a
successful login). PHP''s function session_regenerate_id() is suitable
for this.
Search the net for "session hijacking" and "session fixation". There is
a lot of info available...
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V.
http://www.kratz.nl/
这篇关于PHP会话安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
