PHP会话安全 [英] PHP Session Security

问题描述

使用PHP维护负责的会话安全性有哪些准则?网络上到处都是信息，现在是时候将它们全部集中在一个地方了！

What are some guidelines for maintaining responsible session security with PHP? There's information all over the web and it's about time it all landed in one place!

推荐答案

要确保会话安全，有几件事要做:

There are a couple of things to do in order to keep your session secure:

1. 在对用户进行身份验证或执行敏感操作时使用SSL.
2. 只要安全级别发生更改(例如登录)，就重新生成会话ID.如果愿意，您甚至可以为每个请求重新生成会话ID.
3. 会话超时
4. 不要使用全局寄存器
5. 在服务器上存储身份验证详细信息.也就是说，请勿在Cookie中发送诸如用户名之类的详细信息.
6. 检查$_SERVER['HTTP_USER_AGENT'].这为会话劫持增加了一个小障碍.您也可以检查IP地址.但这会导致由于多个Internet连接上的负载平衡等原因而导致IP地址更改的用户遇到问题(在我们的环境中就是这种情况).
7. 锁定对文件系统上会话的访问或使用自定义会话处理
8. 对于敏感操作，请考虑要求登录用户再次提供其身份验证详细信息

1. Use SSL when authenticating users or performing sensitive operations.
2. Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
3. Have sessions time out
4. Don't use register globals
5. Store authentication details on the server. That is, don't send details such as username in the cookie.
6. Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking. You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
7. Lock down access to the sessions on the file system or use custom session handling
8. For sensitive operations consider requiring logged in users to provide their authenication details again

这篇关于PHP会话安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！