会话令牌-它如何工作? [英] Session token - how does it work?

问题描述

我想知道您如何才能最好地保护会话.我进行了一些搜索并找到了很多答案，但是其中许多答案太令人困惑了.

I'm wondering how you could best protect sessions. I've searched a bit and find a lot of answers, but many of them are just too confusing.

如何防止会话被劫持?我已经阅读了很多有关您以表格形式生成的会话令牌"的信息，但实际上不了解它们的用途.如何防止会话劫持?

How to prevent sessions from being hijacked? I've read a lot about "sessions tokens" you generate in a form, but really don't understand what their use is. How does this prevent session hijacking?

我知道您不会在会话中保存密码之类的东西，但是您可以安全地存储在密码中吗?权限(例如跟踪用户级别的会话变量.每次打开页面时，都会检查会话变量.它不是一个特定的数字，会显示拒绝访问"消息)?还是您如何最好地解决这个问题?

I know you don't save things like passwords in sessions, but what CAN you store in them safely? Permissions (like a session variabele which keeps track of the user level. Every time a page is opened, the session variabele is checked. It's it's not a certain number, you get an "access-denied" message displayed)? Or how do you handle this best?

谢谢！

推荐答案

您基本上可以在所需的会话中存储任何内容，这被认为是最佳"做法，即不将任何安全敏感信息(例如密码)包含在会话中.如果安全层受到损害.

You can basically store anything in the session that you want, it is just considered "best" practice not to include any security sensitive information, such as passwords, in case a layer of security is compromised.

防止会话劫持的第一步是不要通过url传递session_id().用户是愚蠢的，他们将使用会话ID在其博客上发布链接，这基本上将使单击该链接的任何人都可以访问其会话.因此，建议将您的会话ID存储在用户cookie中.

The first step to preventing session hijacking is to not pass your session_id() via url. Users are stupid, and they will post links on their blogs with their session id, which would basically give whoever clicked that link access to their session. Therefore, it is recommended to store your session id in the users cookie.

话虽如此，您想过滤并转义所有用户输入.如果您进行了XSS注入，并且用户能够注入javascript，那么他们将能够毫无问题地读取您的cookie.

With that said, you want to filter and escape all your user input. If you have an XSS injection, and the user is able to inject javascript, they will be able to read your cookies without a problem.

从那里开始，您通常希望对网站上的任何重大操作使用regenerate_session_id()，以防止会话固定.

From there, you generally want to regenerate_session_id() on any major action on your website, to prevent session fixation.

这很简单，关于它的总结.

It's pretty simple, and that about sums it up.

这篇关于会话令牌-它如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！