在 php 中保护会话变量的有效方法是什么? [英] what is the efficient way to secure a session variable in php?

问题描述

我的 Web 应用程序几乎在整个应用程序中都使用 UserId..

My web application uses UserId almost throughout the entire application..

• 在 php 中保护会话变量的最有效方法是什么?

• what is the most efficient way to secure a session variable in php?

会话是否容易受到攻击?

Is session vulnerable to attacks?

我应该在会话中保留 UserId 的加密值吗?

Should i keep my encrypted value of UserId in session?

任何建议...

推荐答案

注意: 摘自 我之前的回答.

• 用户:访问者.
• 客户端:安装在特定机器上的特定网络软件.

• User: A visitor.
• Client: A particular web-capable software installed on a particular machine.

为了了解如何确保会话安全，您必须首先了解会话的工作原理.

In order to understand how to make your session secure, you must first understand how sessions work.

让我们看看这段代码:

session_start();

只要您调用它，PHP 就会查找名为 PHPSESSID(默认情况下)的 cookie.如果没有找到，它会创建一个:

As soon as you call that, PHP will look for a cookie called PHPSESSID (by default). If it is not found, it will create one:

PHPSESSID=h8p6eoh3djplmnum2f696e4vq3

如果找到，则取PHPSESSID的值，然后加载相应的会话.该值称为 session_id.

If it is found, it takes the value of PHPSESSID and then loads the corresponding session. That value is called a session_id.

这是客户唯一知道的事情.您添加到会话变量中的任何内容都保留在服务器上，并且永远不会传输到客户端.如果您更改 $_SESSION 的内容，该变量不会更改.它始终保持不变，直到您销毁它或超时.因此，尝试通过散列或其他方式混淆 $_SESSION 的内容是没有用的，因为客户端永远不会收到或发送该信息.

That is the only thing the client will know. Whatever you add into the session variable stays on the server, and is never transfered to the client. That variable doesn't change if you change the content of $_SESSION. It always stays the same until you destroy it or it times out. Therefore, it is useless to try to obfuscate the contents of $_SESSION by hashing it or by other means as the client never receives or sends that information.

然后，在新会话的情况下，您将设置变量:

Then, in the case of a new session, you will set the variables:

$_SESSION['user'] = 'someuser';

客户永远不会看到这些信息.

The client will never see that information.

当恶意用户窃取其他用户的 session_id 时，可能会出现安全问题.如果没有某种检查，他就可以自由地冒充该用户.我们需要找到一种方法来唯一标识客户端(而不是用户).

A security issue may arise when a malicious user steals the session_id of an other user. Without some kind of check, he will then be free to impersonate that user. We need to find a way to uniquely identify the client (not the user).

一种(最有效的)策略是检查发起会话的客户端的 IP 是否与使用会话的人的 IP 相同.

One strategy (the most effective) involves checking if the IP of the client who started the session is the same as the IP of the person using the session.

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}

// The Check on subsequent load
if($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) {
    die('Session MAY have been hijacked');
}

该策略的问题在于，如果客户端使用负载平衡器，或者(在长时间会话中)用户拥有动态 IP，则会触发错误警报.

The problem with that strategy is that if a client uses a load-balancer, or (on long duration session) the user has a dynamic IP, it will trigger a false alert.

另一种策略涉及检查客户端的用户代理:

Another strategy involves checking the user-agent of the client:

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT'];
}

// The Check on subsequent load
if($_SESSION['agent'] != $_SERVER['HTTP_USER_AGENT']) {
    die('Session MAY have been hijacked');
}

该策略的缺点是，如果客户端升级其浏览器或安装插件(有些添加到用户代理)，用户代理字符串将发生变化并触发错误警报.

The downside of that strategy is that if the client upgrades it's browser or installs an addon (some adds to the user-agent), the user-agent string will change and it will trigger a false alert.

另一种策略是每 5 个请求轮换 session_id.这样，session_id 理论上不会停留足够长的时间被劫持.

Another strategy is to rotate the session_id on each 5 requests. That way, the session_id theoretically doesn't stay long enough to be hijacked.

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['count'] = 5;
}

// The Check on subsequent load
if(($_SESSION['count'] -= 1) == 0) {
    session_regenerate_id();
    $_SESSION['count'] = 5;
}

您可以根据需要组合这些策略中的每一个，但您也会组合其缺点.

You may combine each of these strategies as you wish, but you will also combine the downsides.

不幸的是，没有任何解决方案是万无一失的.如果您的 session_id 遭到入侵，您就大功告成了.以上策略只是权宜之计.

Unfortunately, no solution is fool-proof. If your session_id is compromised, you are pretty much done for. The above strategies are just stop-gap measures.

这篇关于在 php 中保护会话变量的有效方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！