PHP 会话安全:检查 $_SESSION['HTTP_USER_AGENT'] 的用处 [英] PHP Session Security: usefulness of checking $_SESSION['HTTP_USER_AGENT']
问题描述
诸如 PHP Session Fixation/Hijacking 之类的线程以及 Chris Shiflett 等一些人建议检查用户代理 ( $_SESSION['HTTP_USER_AGENT'] ) 帮助检查会话有效性.一些资源甚至推荐这样的内容:
Threads such as PHP Session Fixation / Hijacking and some people like Chris Shiflett recommend checking the user agent ( $_SESSION['HTTP_USER_AGENT'] ) to help check for session validity. Some resources even recommend something like this:
<?php
$string = $_SERVER['HTTP_USER_AGENT'];
$string .= 'SHIFLETT';
/* Add any other data that is consistent */
$fingerprint = md5($string);
?>
但是,Chris Snyder 说浏览器代理的世界与用户的世界相比微不足道,所以不可能每个用户都有一个单独的用户代理.此外,欺骗用户代理并不难.所以几乎没有真正的意义检查此指标作为会话有效性的证明"(第 7 章,第 103 页).
However, Chris Snyder says that "the universe of browser agents is miniscule in comparison to the universe of users, so it is impossible for each user to have an individual user agent. Furthermore, it isn't hard to spoof a user agent. And so there is little real point in checking this metric as a proof of session validity" (Chapter 7, pg 103).
当遇到相互冲突的建议时,以及当某些建议可能已过时(例如上面的 Shiflett/PHPSec 示例,其时间戳似乎是 3 月 18 日星期五,2005).较新的建议,如 Snyder 的(出版日期:2010 年 12 月 9 日)似乎更好,但总是如此吗?(例如,尽管花了很多时间推荐使用 mysqli,但 Snyder 完全忽略了 Stack Overflow 用户似乎认为更好的选择 - PDO -- 所以我并不完全相信 Snyder 是最终值得信赖的专家).
It's very difficult to know what to do when one encounters conflicting advice, and when some of the advice may be out-of-date (such as the Shiflett/PHPSec example above, whose timestamp seems to be Friday, March 18, 2005). Newer advice such as Snyder's (date of publication: December 9, 2010) would seem to be better, but is this always so? (For example, in spite of spending a lot of time recommending the use of mysqli, Snyder completely ignores what Stack Overflow users seem to agree is the better choice -- PDO -- so I'm not totally sold on Snyder as the ultimate Trustworthy Expert).
所以我想我的问题有两个部分,一个是具体的(我应该费心检查用户代理吗?)和一个更一般的(当谈到 PHP 安全的最新想法时,我应该相信谁的建议?),我很明显偏见是相信 Stack Overflow 上的人!"-- 否则我一开始就不会问,因为众包最新的想法通常是最好的主意.
So I guess my question has two parts, one specific (should I bother examining the user agent?) and one more general (whose advice should I trust when it comes to the latest thinking in PHP Security?), with my obvious bias being "trust the people on Stack Overflow!" -- or I wouldn't be asking in the first place, because crowd-sourcing the most current thinking is often the best idea.
遵循@Radu 评论中的有用讨论,澄清 HTTPS 问题 --
Following useful discussion in the comments w/ @Radu, to clarify the HTTPS question --
Snyder 似乎在说两件事:1.) HTTPS 使其他工具的必要性或不必要性降低.2.) 在无法使用 HTTPS 的情况下,检查用户代理仍然没有什么用(这似乎是他不同意一些可能较旧的建议的地方).
Snyder seems to be saying two things: 1.) HTTPS makes other tools less necessary or unnecessary. 2.) In situations where one cannot use HTTPS, it is still not really useful to check the user agent (and this seems to be the point where he disagrees with some possibly older advice).
推荐答案
如果中间那个人可以劫持会话 ID,那么他发送同一个用户代理应该绝对没有问题,所以我不认为这个会带你去任何地方.这是默默无闻的安全.
If the man in the middle can hijack the session ID, then he should have absolutely no problem in sending the same user agent, so I don't think this will get you anywhere. This is security by obscurity.
如果您想要真正的保护,请使用 HTTPS.
If you want real protection, use HTTPS.
这篇关于PHP 会话安全:检查 $_SESSION['HTTP_USER_AGENT'] 的用处的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
