成功登录后重新生成会话 ID 是否足以防止会话固定? [英] Is regenerating the session ID after successful login sufficient to prevent session fixation?

问题描述

我目前阅读了指南，并且我对此有点困惑:

I read a guide currently, and I am bit confused over this:

为了解决这个弱点，有助于理解问题.会话固定只是一个垫脚石 - 的目的攻击是为了获得一个会话标识符，可以用来劫持一个会议.当被劫持的会话具有比攻击者可以通过获得更高级别的特权合法手段.这种特权级别可以很简单已登录.如果每次都重新生成会话标识符是权限级别的变化，会话固定的风险是几乎消除了:

To address this weakness, it helps to understand the scope of the problem. Session fixation is merely a stepping-stone—the purpose of the attack is to get a session identifier that can be used to hijack a session. This is most useful when the session being hijacked has a higher level of privilege than the attacker can obtain through legitimate means. This level of privilege can be as simple as being logged in. If the session identifier is regenerated every time there is a change in the level of privilege, the risk of session fixation is practically eliminated:

<?php
$_SESSION['logged_in'] = FALSE;
if (check_login())
{
  session_regenerate_id();
  $_SESSION['logged_in'] = TRUE;
}
?>

如果我理解正确，我只需要在分配一个 logged_in = true 或 user_id = id 之类的值之前创建一个 session_regenerate_id()代码>，然后我对会话固定做了保护?

If I understand this correctly, I only need to make a session_regenerate_id() before I assign a value like logged_in = true or user_id = id and then I have made a protection against session fixation?

够了吗?我还能做什么?

Is this enough? What else can I do?

推荐答案

实际上，会话固定的最常见场景是攻击者将放置一个链接，例如到您的主页或登录页面，在 url 上设置会话 ID(作为 GET 变量)并等待一些用户登录.由于攻击者随后知道这些用户的会话 ID，并且由于可以在 url 中设置此会话 ID，因此攻击者可以重新访问指向注册用户的个人资料页面/仪表板等的链接并冒充该用户.

Actually, the most common scenario with session fixation is that the attacker will place a link e.g. to your homepage or login page, setting the Session id on the url (as a GET variable) and wait for some users to login. Since the attacker then knows the session ID of these users and since this session ID can be set in the url, the attacker can revisit the link to the registered user's profile page/dashboard etc and impersonate this user.

因此，为了防止此类攻击，重新生成会话 ID 就足够了，因为攻击者仍然使用未经身份验证的会话.您可以采取的另一个步骤是不接受 url 中的会话 ID.为此，您必须设置(如果您可以访问服务器上的此文件，则在 php.ini 中或通过 ini_set)设置以下内容:

Thus, to prevent such kinds of attacks, session id regeneration is adequate, as the attacker remains with an unauthenticated session. An additional step you could take is to not accept session IDs in the url. To do this, you have to set (either in php.ini if you have access to this file on the server or via ini_set) the following:

1. session.use_only_cookies 应设置为 TRUE(仅将 cookie 用于 php 会话 ID，不要通过 url 传递)
2. session.use_trans_sid 应设置为 FALSE(如果 cookie 被禁用，则不应通过 url 传递会话 ID)

这样，攻击者甚至无法为未经身份验证的会话设置会话 ID.

This way, the attacker cannot even set the session id even for the unauthenticated session.

这篇关于成功登录后重新生成会话 ID 是否足以防止会话固定?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！