使用会话变量而不是隐藏的输入字段是否更安全? [英] Is it more secure to use a session variable instead of a hidden input field?

问题描述

我知道两种在页面之间传递参数的方法:

I know two ways to pass parameters between pages:

1. 使用 POST 和
2. 使用$_SESSION["variable_name"]

我觉得第二种方式更简单，但我想知道它是否和第一种一样安全，因为在我看到的大多数教程中，他们使用第一种方式.

I find the second way easier, but I wonder if it is as secure as the first one, because in most tutorials I see, they use the first way.

选择第一种方式比第二种方式有什么重要的原因吗?

Is there any important reason to prefer the first way to second?

推荐答案

要了解差异，让我们详细了解每个解决方案的工作原理及其安全风险.在这个例子中，我们将存储用户的页面浏览次数.

To understand the difference, let's go through in detail how each of the solutions would work and their security risks. In this example we are going to store the count of page views of the user.

我们开始会话，增加计数器并将其存储在 $_SESSION 数组中:

We start the session, increment the counter and store it in the $_SESSION array:

<?php
session_start();
if(!isset($_SESSION["pageviews"]))
{
    $_SESSION["pageviews"] = 0;
}
$_SESSION["pageviews"]++;
?>

当用户第一次访问此页面时，PHP 会随机生成一个如下所示的会话标识符，并要求浏览器将此 ID 存储在 cookie 中:

When a user visits this page for the first time, PHP will generate a random session identifier that looks like the following, and ask the browser to store this ID in a cookie:

fh4giqncq25ntgs7gjunvj6i33

在服务器上，它会存储并记住一个 pageviews 变量，其值为 1 属于会话 ID <代码>fh4giqncq25ntgs7gjunvj6i33.

On the server, it will store and remember that there is a pageviews variable with the value 1 that belongs to the session ID fh4giqncq25ntgs7gjunvj6i33.

下次用户访问该页面时，他或她的浏览器将随请求一起发送之前的会话 ID(假设 cookie 尚未过期或被删除).PHP 然后识别这个 ID，并用 pageviews = 1 填充 $_SESSION 数组，然后增加它:pageviews = 2

The next time the user visits the page, his or her browser will send the previous session ID along with the request (given that the cookie hasn't expired or got deleted). PHP then recognizes this ID, and populates the $_SESSION array with pageviews = 1, then increments it: pageviews = 2

在安全方面，请考虑以下问题:

In terms of security, consider the following questions:

用户是否能够读取存储的数据?否 –客户端唯一看到的是 cookie 中的随机会话 ID；数据本身存储在服务器上.

Is the user able to read the stored data? No – The only thing the client sees is the random session ID in the cookie; the data itself is stored on the server.

用户是否能够更改或操纵存储的数据?再次，不 –如果浏览器中的会话 ID 被更改，PHP 将无法再将浏览器绑定到存储的数据.在这种最坏的情况下，用户将获得一个新会话，从 pageviews = 1 开始.

Is the user able to alter or manipulate the stored data? Again, no – If the session ID is altered in the browser, PHP will not be able to tie the browser to the stored data any more. In this worst case scenario the user will get a new session, starting with pageviews = 1.

会话的主要安全风险是会话劫持，攻击者以某种方式设法从其他人的浏览器获取会话 ID，然后将其提供给服务器，从而冒充其他用户.在我们的示例中，这没有多大意义，因为我们只存储页面查看计数；但是，大多数站点使用会话来跟踪哪个用户从哪个浏览器登录.在这种情况下，窃取其他人的会话意味着可以访问他们的帐户.

The main security risk of sessions is session hijacking, when an attacker somehow manages to get the session ID from someone else's browser and then presents it to the server, thereby impersonating the other user. In our example this would not make much sense since we're only storing a page view count; however, most sites use sessions to keep track of which user is logged on from which browser. In that scenario, stealing someone else's session would mean getting access to their account.

在这种情况下，我们有一个带有隐藏字段的表单:

In this case we have a form with a hidden field:

<form action="..." method="post">
    <input type="hidden" name="pageviews" value="<?php print($pageviews); ?>" />
    ...
</form>

在服务器上，我们从 $_POST 检索 pageviews 变量并增加它:

On the server, we retrieve the pageviews variable from $_POST and increment it:

<?php
$pageviews = @$_POST["pageviews"];
$pageviews++;
?>

因此，我们实际上不是将数据存储在服务器上，而是将数据向下发送到客户端，并期望在后续请求中将其返回.除了它仅适用于 POST 请求这一事实之外，让我们看看此解决方案与安全相关的缺点:

So, instead of storing it on the server, we essentially send the data down to the client and expect it back in the subsequent request. Apart from the fact that it only works with POST requests, let's look at the security-related downsides of this solution:

用户是否能够读取存储的数据?是的 –它直接进入 HTML 代码中的浏览器.

Is the user able to read the stored data? Yes – it goes straight to the browser in the HTML code.

用户是否能够更改或操纵存储的数据?是的 –没有什么可以阻止用户在他或她的浏览器中打开开发者工具并将隐藏值更改为他或她喜欢的任何内容.提交表单后，服务器获取更改后的数据.

Is the user able to alter or manipulate the stored data? Yes – there is nothing to prevent the user from opening up the developer tools in his or her browser and changing the hidden value to whatever he or she likes. Upon submitting the form, the server gets the altered data.

<input type="hidden"> 的问题在于你只是不能信任客户端，所以你必须验证你得到的数据在每个请求中.在某些情况下这样做可能是合理的，例如填写多页表单，但即使这样通常也可以通过会话更好地解决.

The problem with <input type="hidden"> is that you just can't trust the client, so you have to verify the data you get in every request. It might be reasonable to do this in some cases, such as filling out multi-page forms, but even that can often be better solved with sessions.

通过 $_SESSION 持久化数据通常比使用 安全，因为会话数据是存储的在服务器上，因此不能被客户端篡改.只有一个随机会话标识符在 cookie 中发送到浏览器，该 cookie 将服务器上的数据与该特定浏览器相关联.

Persisting data via $_SESSION is generally safer than using <input type="hidden"> because the session data is stored on the server, and thus cannot be tampered with by the client. Only a random session identifier is sent to the browser in a cookie which ties the data on the server to that particular browser.

这篇关于使用会话变量而不是隐藏的输入字段是否更安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！