PHP中正确的会话劫持预防 [英] Proper session hijacking prevention in PHP
问题描述
我知道这个话题已经被很多讨论了,但是我还有一些具体的问题没有得到回答.例如:
I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');
// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
session_start();
// If the user is already logged
if (isset($_SESSION['uid'])) {
// If the IP or the navigator doesn't match with the one stored in the session
// there's probably a session hijacking going on
if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) {
// Then it destroys the session
session_unset();
session_destroy();
// Creates a new one
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
}
} else {
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
// Set the default values for the session
setSessionDefaults();
$_SESSION['ip'] = getIp(); // Saves the user's IP
$_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator
}
所以,我的问题是
-
ini_set
是否提供足够的安全性? - 是否可以保存用户的IP和导航器,然后进行检查 每次加载页面以检测会话劫持时?这有什么问题吗?
- 使用
session_regenerate_id()
正确吗? - 使用
session_id()
正确吗?
- do the
ini_set
's provide enough security? - is it okay to save the user's IP and navigator and then check it every time the page is loaded to detect a session hijack? Could this be problematic in any way?
- is the use of
session_regenerate_id()
correct? - is the use of
session_id()
correct?
推荐答案
您的配置很棒.您肯定会阅读有关如何锁定php会话的信息.但是,此行代码会抵消您的php配置提供的许多保护:
session_id(sha1(uniqid(microtime()));
Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration:
session_id(sha1(uniqid(microtime()));
这是生成会话ID的特别糟糕方法.根据您的配置,您将从/dev/urandom
生成会话ID,这是一个很棒的熵池.这将比uniqid()随机得多,而uniqid()已经基本上是一个时间戳,向此混合添加另一个时间戳完全没有帮助.尽快删除此代码行.
This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom
which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.
检查IP地址是有问题的,ip地址是出于正当理由而更改的,例如用户是否位于负载平衡器或TOR之后.用户代理检查是没有意义的,就像具有?is_hacker=False
这样的GET变量一样,如果攻击者具有会话ID,则可能拥有用户代理,而如果没有,则很容易被暴力破解.
Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False
, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.
这篇关于PHP中正确的会话劫持预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!