处理 PHP 中的会话劫持 [英] Dealing with session hijacking in PHP
问题描述
阅读 Stackoverflow 上有关会话劫持的许多问题,我发现验证用户会话的唯一解决方案"是检查用户代理,这是一个非常薄弱的保护层,我没有甚至懒得去实现它.
Reading through the many questions regarding session hijacking here on Stackoverflow, I've gathered that the only 'solution' to validating a users session is by checking the user agent, which is such a weak layer of protection that I don't even bother to implement it.
所以,我想知道你们已经实施了哪些解决方案?您是在使用 PHP 的本机会话还是有更安全的解决方案?
So, I was wondering what solutions you guys have implemented? Are you even using PHP's native sessions or is there a more secure solution?
推荐答案
您不需要会话 ID 来劫持会话.XSS 攻击可以采用 2 种方式中的一种.最常见的是读取 document.cookie 并将其发送到远程服务器(此请求还将包含受害者 USER_AGENT,因此检查此值完全是浪费时间,因为确实如此不能阻止任何攻击).微软开发的一种很酷的安全方法叫做HTTPOnly Cookies,大多数浏览器都支持这种安全性特征.
You don't need the session id in order to hijack a session. An XSS attack can go 1 of 2 ways. The most common is to read document.cookie and send it to a remote server (this request will also contain the victims USER_AGENT so checking this value is a complete a total waste of time as it doesn't prevent any attack what so ever). A cool security method developed by Microsoft is called HTTPOnly Cookies, and most browsers support this security feature.
HTTPOnly Cookies 和检查客户端的 IP 地址并不能阻止所有会话劫持.事实上,如果攻击者有 XSS 漏洞,他可以在受害者浏览器上使用 XHR 伪造请求,并且不需要知道 cookie 的值.
HTTPOnly Cookies and checking the client's ip address doesn't stop all session hijacks. In fact if the attacker has an XSS vulnerability he can just forge requests using XHR on the victims browser and there for wouldn't need to know the value of the cookie.
归根结底,为了阻止会话劫持,您需要在 Web 应用程序中插入漏洞.最重要的是,您需要防止会话骑行",也称为 CSRF.您还需要防止 XSS 漏洞,Acunetix 免费版 是查找它们的好工具..最后但同样重要的是,您必须阅读 OWASP A3:损坏的身份验证和会话管理.OWASP A3 的一个常见违规行为是人们没有在整个会话中使用 HTTPS.您绝不能将 cookie 的值泄露到 http 上,这与泄露用户名/密码的影响完全相同.如果黑客正在嗅探流量,他将可以立即访问您的网站.
At the end of the day in order to stop session hijacking you need to plug the vulnerabilities in your web application. Most importantly you need to prevent "Session Riding" which is also known as CSRF. You also need to prevent XSS vulnerabilities, Acunetix free edition is a good tool for finding them. . Last but certinly not least you must read the OWASP A3: Broken Authentication and Session Management. A common violation of OWASP A3 is that people don't use HTTPS for the entire session. At no point can you spill the value of the cookie over http, this has the exact same impact as if you spilled the username/password. If a hacker is sniffing the traffic he will have immediate access to your site.
这篇关于处理 PHP 中的会话劫持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
