会话劫持和PHP [英] Session hijacking and PHP

问题描述

让我们只考虑服务器对用户的信任.

Lets just consider the trust that the server have with the user.

会话固定:为避免固定，我仅在身份验证(login.php)中使用session_regenerate_id()

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)

会话劫持:整个站点的SSL加密.

Session sidejacking: SSL encryption for the entire site.

我安全吗?

推荐答案

阅读OWASP A3身份验证和会话管理已损坏.另请阅读有关OWASP A5-CSRF 的信息，有时也称为会话骑术".

Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".

您应该在php头文件中使用以下代码:

You should use this code in a php header file:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

此代码可防止会话修复.它还有助于防止来自访问document.cookie的xss，这是会话劫持的一种方式发生.强制仅HTTPS cookie是解决OWASP A9传输层保护不足的好方法一个>.这种使用HTTPS的方式有时称为安全cookie"，这是一个可怕的名称.另外， STS 是一项非常酷的安全功能，但是并非所有浏览器都支持它.

This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).

这篇关于会话劫持和PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！