在 PHP 中关闭 session.cookie_secure 的后果 [英] Consequences of turning off session.cookie_secure in PHP
问题描述
在安全连接下关闭 PHP 中的session.cookie_secure"会带来哪些安全风险?我很想关闭它,因为我无法访问从 https 页面到 http 页面的会话数据.
What are the security risks associated with turning off "session.cookie_secure" in PHP under secure connections? I'm itching to turn this off since I'm unable to access session data from https pages to http pages.
推荐答案
风险在于 cookie 数据通过普通 HTTP 传输.任何在网络上嗅探数据包的人都可以查看 cookie 中的数据.然后,他们可以假装是你(Session Fixation).
The risk is that the cookie data is transfered over plain HTTP. Anyone sniffing packets on the network would be able to view the data in the cookie. Then, they can pretend to be you (Session Fixation).
现在,有些人会争辩说,如果有人可以嗅探网络上的数据包,那么他们就可以执行MITM 攻击所以这不是什么大问题.然而,这并不是 100% 正确的.看看谷歌发生了什么.他们能够在不损害网络的情况下嗅探原始 WIFI 流量(这是 MITM 攻击所必需的).通过 HTTP 发送 cookie 可能会引发 会话劫持 攻击,如果您将它们保留为 HTTPS,它们就不会
Now, some would argue that if someone can sniff packets on the network, that they are in a position to execute a MITM attack so it's not a huge deal. However this is not 100% correct. Look at what happened with Google. They were able to sniff raw WIFI traffic without actually compromising the network (which would be required for a MITM attack). Sending cookies over HTTP can open up session hijacking attacks where if you kept them to HTTPS only they would not be.
如果您需要安全访问,请设置 secure_only.如果你不关心数据(或使用多因素,或想冒险),那就打开它...
If you need access to be secure, keep secure_only set. If you don't care about the data (or use multiple-factors, or want to risk it), then open it up...
一种可能的解决方法是使用自定义错误处理程序,并设置 2 个会话标识符(一个是 secure_only).然后你可以通过两者登录",但需要安全的任何重要的东西(例如访问重要数据.这需要一些工作才能正确完成,但可能是解决问题的好方法......
One potential workaround is to use a custom error handler, and set 2 session identifiers (one is secure_only). Then you can "log in" via both, yet require the secure one for anything important (Such as accessing important data. This would require some work to do correctly, but could be a decent solution to the problem...
这篇关于在 PHP 中关闭 session.cookie_secure 的后果的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
