PHP会话劫持 [英] PHP Session Hijacking
问题描述
我对PHP中的会话劫持有疑问.我今天早上一直在阅读有关它的信息,我有一些问题在我阅读的文档中并未得到明确回答.
I have a question regarding session hijacking in PHP. I have been reading about it this morning and I have a few questions that just weren't answered clearly in the documentation I read.
用户可以更改他们在我的网站上的会话吗?也就是说,如果他们在登录时拥有X会话,是否可以选择将该会话更改为Y或Z?
Can a user change their session on my website? i.e. if they have a session of X when the login, can they change that session to Y, or Z, if they so choose?
我认为会话是由浏览器设置的,无法更改,但是我一直在阅读的所有会话劫持内容都使我心存疑虑.
I thought that sessions were set by the browser and they couldn't be changed, but all of this session hijacking stuff I've been reading has put some doubt in my mind.
推荐答案
术语会话"被重载以表示服务器和浏览器中的不同内容.浏览器会话最多只能与服务器会话紧密连接. 会话劫持"是指服务器会话.
The term "session" is overloaded to mean different things on the server and in the browser. Browser sessions are at best tenuously connected to server sessions. "Session hijacking" refers to server sessions.
在服务器端,会话具有一个ID(在客户端和服务器之间传递),内容(存储在服务器上)以及可能的其他属性(例如上次访问时间).会话ID通常以cookie的形式传递.在PHP中,cookie的默认名称为"PHPSESSID".如果没有cookie,PHP将(可选)使用同名的查询字符串参数("PHPSESSID").此Cookie(或查询参数)可以轻松更改,因此会话标识符也可以更改.
Server-side, a session has an ID (which is passed between the client and server), content (stored on the server) and potentially other properties, such as last access time. The session ID is usually passed as a cookie. In PHP the default name for the cookie is "PHPSESSID". If cookies aren't available, PHP will (optionally) use a query string parameter of the same name ("PHPSESSID"). This cookie (or query param) can easily be changed and therefore the session identifier can be changed too.
会话的内容(即包含用户的登录状态)不能由客户端更改,数据存储在服务器上,并且只能由该脚本上的PHP脚本更改服务器.请注意,在共享主机环境(由其他服务或用户共享)中,如果使用默认会话存储目录(/tmp),则可以覆盖会话.为了防止这种情况,请通过 session_set_save_handler() 或使用
The contents of a session (i.e. containing the login state of a user) cannot be changed by the client, the data is stored on the server and can only be changed by a PHP script on that server. Note that in a shared-hosting environment (shared by other services or users), the sessions can be overwritten if using the default session storage directory (/tmp). To protect against that, either use a database through session_set_save_handler() or set a custom session directory using session.save_path with the proper directory permissions set (preferably 700 which means that only the owner (the PHP user) can read and write to it).
要防止会话劫持,您必须具有其他方法来根据会话识别用户.这可以是用户代理,IP地址或其他cookie.前面提到的方法仅是变通办法,如果涉及会话,则防止HTTP会话cookie窃取的最佳方法是使用HTTPS.不要忘记使用httponly标志设置为true > session_set_cookie_params()
To protect against session hijacking, you must have other ways to identify the user against a session. This can be a user agent, IP address or another cookie. The previously mentioned methods are just workarounds, best way to protect against stealing of the session cookie is by using HTTPS if a session is involved. Do not forget to set the httponly flag to true using session_set_cookie_params()
客户端,会话"再次过载并在各种上下文中使用(例如,会话管理器,当打开浏览器时,会话管理器将还原打开的页面,会话cookie和window对象向JS公开一个视图.)每个视图都有一个历史记录,一个当前页面和页面数据.会话中的视图之间共享同一域中页面的页面数据.如果两个页面位于不同的域或不同的会话中,则它们不共享数据.退出浏览器会关闭所有打开的会话,可能会保存部分会话(例如历史记录,当前页面,sessionStorage),以便会话管理器可以重新打开它们.会话cookie是在会话关闭时被丢弃的cookie.换句话说,会话cookie是非持久性的.尽管会话Cookie可能包含会话ID,但这两个概念是正交(意义4;会话Cookie可以保存会话ID以外的其他内容,并且会话ID可以存储在持久性Cookie中.
Client-side, "session" is again overloaded and used in various contexts (e.g. session managers, which restore open pages when a browser is opened, session cookies and sessionStorage). We can try to combine these meanings (into what is by no means a standard one) by saying a browser session consists of a collection of views and their associated data. (By "view" I mean roughly tabs in tabbed browsers and windows in non-tabbed browsers; the DOM window object exposes a view to JS.) Each view has a history, a current page and page data. Page data for pages in the same domain is shared between views in a session; if two pages are in different domains or different sessions, they don't share data. Exiting the browser closes all open session(s), possibly saving part of the session(s) (e.g. histories, current pages, sessionStorage) so that a session manager can re-open them. Session cookies are cookies that are discarded when a session is closed; in other words, session cookies are non-persistant. Though a session cookie may hold a session ID, the two concepts are orthogonal (sense 4; session cookies can hold things other than session IDs, and session IDs can be stored in persistant cookies).
同一集合中是否有两个不同的视图取决于浏览器.例如,一个浏览器可能认为一个会话由一个窗口中的所有选项卡组成;单独的窗口是单独的会话. IE8 允许用户通过新会话"菜单项创建新会话.否则,将在同一会话中打开新的窗口和选项卡.隐私模式还会创建新的会话.
Whether two different views are in the same collection depends on the browser. For example, one browser may consider a session to consist of all tabs within a single window; separate windows are separate sessions. IE8 lets users create new sessions via the "New session" menu item. Otherwise, new windows and tabs are opened in the same session. Privacy modes also create new sessions.
总而言之,浏览器会话确实是由浏览器设置的,尽管它为用户提供了多种控制浏览器会话的方式:创建新会话,通过浏览,保存和还原会话来更改视图中的历史记录和当前页面.用户甚至可以通过编辑保存在磁盘上的会话来更改会话数据,尽管这不是浏览器提供的功能.这些都与会话劫持无关.服务器会话由服务器创建和管理,但是用户可以(尝试)通过更改其浏览器传回服务器的会话ID来切换服务器会话,这是会话劫持的基础.
In summary, browser sessions are indeed set by the browser, though it provides users various means of controlling browser sessions: creating new sessions, changing the history and current page in a view by browsing, saving and restoring sessions. A user could even change session data by editing sessions saved on disk, though this isn't a feature afforded by the browser. None of this has anything to do with session hijacking. Server sessions are created and managed by the server, but users can (attempt to) switch server sessions by changing the session ID their browser passes back to the server, which is the basis for session hijacking.
另请参见 PHP会话修复/劫持.
这篇关于PHP会话劫持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
