PHP中正确的会话劫持预防 [英] Proper session hijacking prevention in PHP

问题描述

我知道这个话题已经被很多讨论了，但是我还有一些具体的问题没有得到回答.例如:

I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:

// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');

// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');

---

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);

---

session_start();

// If the user is already logged
if (isset($_SESSION['uid'])) {
    // If the IP or the navigator doesn't match with the one stored in the session
    // there's probably a session hijacking going on

    if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) {
        // Then it destroys the session
        session_unset();
        session_destroy();

        // Creates a new one
        session_regenerate_id(true); // Prevent's session fixation
        session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
    }
} else {
    session_regenerate_id(true); // Prevent's session fixation
    session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
    // Set the default values for the session
    setSessionDefaults();
    $_SESSION['ip'] = getIp(); // Saves the user's IP
    $_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator
}

所以，我的问题是

• ini_set是否提供足够的安全性?
• 是否可以保存用户的IP和导航器，然后进行检查 每次加载页面以检测会话劫持时?这有什么问题吗?
• 使用session_regenerate_id()正确吗?
• 使用session_id()正确吗?

• do the ini_set's provide enough security?
• is it okay to save the user's IP and navigator and then check it every time the page is loaded to detect a session hijack? Could this be problematic in any way?
• is the use of session_regenerate_id() correct?
• is the use of session_id() correct?

推荐答案

您的配置很棒.您肯定会阅读有关如何锁定php会话的信息.但是，此行代码会抵消您的php配置提供的许多保护: session_id(sha1(uniqid(microtime()));

Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration: session_id(sha1(uniqid(microtime()));

这是生成会话ID的特别糟糕方法.根据您的配置，您将从/dev/urandom生成会话ID，这是一个很棒的熵池.这将比uniqid()随机得多，而uniqid()已经基本上是一个时间戳，向此混合添加另一个时间戳完全没有帮助.尽快删除此代码行.

This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.

检查IP地址是有问题的，ip地址是出于正当理由而更改的，例如用户是否位于负载平衡器或TOR之后.用户代理检查是没有意义的，就像具有?is_hacker=False这样的GET变量一样，如果攻击者具有会话ID，则可能拥有用户代理，而如果没有，则很容易被暴力破解.

Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.

这篇关于PHP中正确的会话劫持预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！