什么时候以及为什么我应该使用session_regenerate_id()? [英] When and why I should use session_regenerate_id()?

问题描述

为什么以及何时应该在php中使用session_regenerate_id()函数? 使用session_start()之后是否应该始终使用它? 我读到我必须使用它来防止会话固定，这是唯一的原因吗?

Why and when should I use the session_regenerate_id() function in php? Should I always use it after I use the session_start()? I've read that I have to use it to prevent session fixation, is this the only reason?

推荐答案

什么是session_regenerate_id()?

正如函数名称所说，它是一个函数，它将用新的ID替换当前的会话ID，并保留当前的会话信息.

What is session_regenerate_id()?

As the function name says, it is a function that will replace the current session ID with a new one, and keep the current session information.

它主要有助于防止会话固定攻击.会话固定攻击是恶意用户试图利用系统中的漏洞固定(设置)另一个用户的会话ID(SID)的地方.这样，他们将拥有原始用户的完整访问权限，并能够执行原本需要身份验证的任务.

It mainly helps prevent session fixation attacks. Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID (SID) of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.

为防止此类攻击，请在用户成功登录时(或对于每个X请求)使用session_regenerate_id()为用户分配新的会话ID.现在只有他具有会话ID，而您的旧(固定)会话ID不再有效.

To prevent such attacks, assign the user a new session ID using session_regenerate_id() when he successfully signs in (or for every X requests). Now only he has the session ID, and your old (fixated) session ID is no longer valid.

正如symbecean在以下评论中指出的，必须在身份验证状态下的任何转换中更改会话ID，而在身份验证转换时必须仅 .

As symbecean points out in the comments below, the session id must be changed at any transition in authentication state and only at authentication transitions.

进一步阅读:

• http://php.net/session_regenerate_id
• https://www.owasp.org/index.php/Session_fixation
• http://en.wikipedia.org/wiki/Session_fixation
• https://wiki.php.net/rfc/precise_session_management

• http://php.net/session_regenerate_id
• https://www.owasp.org/index.php/Session_fixation
• http://en.wikipedia.org/wiki/Session_fixation
• https://wiki.php.net/rfc/precise_session_management

这篇关于什么时候以及为什么我应该使用session_regenerate_id()?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！