通过确保创建会话的唯一来源应该是安全的随机生成器来防止会话固定 [英] Preventing session fixation by ensuring the only source of creating a session should be a secure random generator
问题描述
我正在尝试防止会话固定,并已从 owasp 网站阅读以下内容:
I am trying to prevent session fixation and have read the following from the owasp website:
会话固定
会话 ID 只能由您的应用程序生成.从不创造会话仅因为您从客户端收到会话 ID,创建会话的唯一来源应该是安全的随机生成器.
Session IDs are to be generated by your application only. Never create a session only because you receive the session ID from the client, the only source of creating a session should be a secure random generator.
我使用以下方法处理会话:
I handle sessions by using:
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
ini_set('session.entropy_file', '/dev/urandom'); // better session id's
ini_set('session.entropy_length', '512');
session_start();
并检查用户 ID 是否存在:
and checking for the existence of a user id:
if(isset($_SESSION['user_id'])) {
//act like user is logged in
} else {
//refer user to the login page
}
这是否意味着创建我的会话的唯一来源是通过安全随机生成器?
Does this mean the only source of creating my session is via a secure random generator?
推荐答案
默认情况下 PHP 容易出现会话固定:
By default PHP is prone to session fixation:
简单的场景:
- Mallory 已确定 http://unsafe.example.com/ 接受任何会话标识符,接受会话来自查询字符串的标识符和没有安全验证.http://unsafe.example.com/ 因此不是安全.
- Mallory 给 Alice 发送了一封电子邮件:嘿,看看这个,我们银行有一个很酷的新账户摘要功能,http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID".马洛里正在尝试将 SID 固定到 I_WILL_KNOW_THE_SID.
- Alice 很感兴趣并访问了 http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID.常规登录屏幕弹出,Alice 登录.
- Mallory 访问了 http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID 和现在可以无限制地访问 Alice 的帐户.
- Mallory has determined that http://unsafe.example.com/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe.example.com/ is thus not secure.
- Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
- Alice is interested and visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
- Mallory visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.
http://en.wikipedia.org/wiki/Session_fixation
session.use_strict_mode boolean
session.use_strict_mode 指定模块是否使用严格会话标识模式.如果启用此模式,则模块不接受未初始化的会话 ID.如果未初始化的会话 ID 是从浏览器,新的会话 ID 被发送到浏览器.应用程序受到保护从会话固定通过会话采用严格模式.默认值到 0(禁用).
session.use_strict_mode specifies whether the module will use strict
session id mode. If this mode is enabled, the module does not accept
uninitialized session ID. If uninitialized session ID is sent from
browser, new session ID is sent to browser. Applications are protected
from session fixation via session adoption with strict mode. Defaults
to 0 (disabled).
http://php.net/手册/en/session.configuration.php#ini.session.use-strict-mode
启用 session.use_strict_mode 可防止 PHP 接受不存在的会话的 ID 并创建它们.但这并不能阻止其他类型的会话固定:
Enabling session.use_strict_mode prevents PHP from accepting ids of non-existing sessions and creating them. This does not prevent other types of session fixation though:
一个误解是只接受服务器生成的服务器会话标识符不会被固定.这是错误的.
Attack using server generated SID
A misconception is that servers which only accept server generated session identifiers are safe from fixation. This is false.
场景:
- Mallory 访问 http://vulnerable.example.com/ 并检查返回的是哪个 SID.例如,服务器可能会响应: Set-Cookie:SID=0D6441FEA4496C2.
- Mallory 现在可以给 Alice 发送一封电子邮件:看看我们银行的这个很酷的新功能,http://vulnerable.example.com/?SID=0D6441FEA4496C2."
- Alice 使用固定会话标识符 SID=0D6441FEA4496C2 登录.
- Mallory 访问 http://vulnerable.example.com/?SID=0D6441FEA4496C2 和现在可以无限制地访问 Alice 的帐户.
- Mallory visits http://vulnerable.example.com/ and checks which SID is returned. For example, the server may respond: Set-Cookie: SID=0D6441FEA4496C2.
- Mallory is now able to send Alice an e-mail: "Check out this new cool feature on our bank, http://vulnerable.example.com/?SID=0D6441FEA4496C2."
- Alice logs on, with fixated session identifier SID=0D6441FEA4496C2.
- Mallory visits http://vulnerable.example.com/?SID=0D6441FEA4496C2 and now has unlimited access to Alice's account.
这可以通过 session.use_only_cookies 阻止,默认情况下是开启的.
This can be prevented by session.use_only_cookies, which is on by default.
您可能仍然容易受到通过 XSS 进行的更多会话固定攻击,您必须通过 PHP ini 设置以外的措施来抵消这些攻击.
You may still be vulnerable to yet more session fixation attacks through XSS, which you will have to counteract with measures other than PHP ini settings.
这篇关于通过确保创建会话的唯一来源应该是安全的随机生成器来防止会话固定的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
