如何防止CodeIgniter 3中的会话劫持 [英] How to prevent session hijacking in CodeIgniter 3
问题描述
我知道这是重复的问题 Codeigniter/PHP会话安全性问题,但抱歉告诉我所有建议采取的措施都失败了,这就是为什么我要重复这个问题,并在2011年提出这个问题,而现在它的答案已经过时了.所以请不要重复.
I know this is a duplicate question Codeigniter/PHP sessions security question but sorry to tell all measure recommended there failed in my case and that is the reason why I am repeating this question and that question asked in 2011 and now its answers will be outdated. So please don't duplicate it.
在我的情况下,我启用了
配置文件中的$config['sess_driver'] = 'database';和$config['sess_match_ip'] = TRUE;.
In my scenario I enabled
$config['sess_driver'] = 'database'; and $config['sess_match_ip'] = TRUE; in config file.
我还将csrf令牌和XSS过滤放入我的身份验证表单中,并始终使用活动记录来防止任何形式的SQL注入.为了提高安全性,我还尝试在10次尝试中实施2要素身份验证,Google ReCaptcha和ip阻止.尽管如此,以上所有措施仅能防止强力攻击,而不能阻止会话劫持.
I also put csrf token and XSS filtering in my authentication form and always use active records to prevent any sort of SQL injection. For extra security, i also implemented 2-factor authentication, Google ReCaptcha and ip blocking on the 10th attempt. Still, all the above measures can only prevent brute force attack in my case and not session hijacking.
如果攻击者获得了ci_session值和我的IP,他就可以轻松登录我的网站,而无需任何登录凭据.
If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.
我知道使用HTTPS可以启用$config['cookie_secure']=TRUE;会有所帮助,但是我不确定100%的安全性,因为我可以轻松登录自己的Twitter帐户(进行会话劫持和Twitter使用HTTPS).
I know using HTTPS can help as I can enable $config['cookie_secure']=TRUE; but I am not 100% sure about it as I can easily login to my twitter account my doing session hijacking and twitter use HTTPS.
我还尝试了我的laravel应用,其默认的中间件身份验证系统可以被会话劫持.
I also tried my laravel app and its default middleware authentication system can be session hijacked.
因此,基本问题是我在会话上进行的所有身份验证工作,而且我不知道其他任何不使用会话即可使用身份验证的方法.
So the basic problem is all my authentication work on the session and I don't know any other method to use authentication without using session.
如果有人对如何提高我的Web应用程序的安全性有任何想法,请帮助我.
If anybody has any idea of how to improve the security of my web application please help me.
谢谢.
推荐答案
防止会话固定意味着防止会话ID被盗.
Preventing session fixation means to prevent the session ID from being stolen.
如果,您只能通过某种方式将其窃取.担心之后发生的事情是没有意义的.
You've only failed if there is a way for it to be stolen. Worrying what happens after that is pointless.
如果攻击者获得了ci_session值和我的IP,他就可以轻松登录我的网站,而无需任何登录凭据.
If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.
没有人可以将他们的IP地址更改为您的IP地址...
Nobody can just change their IP address to yours ...
这篇关于如何防止CodeIgniter 3中的会话劫持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
