php中的会话安全 [英] session security in php
问题描述
了解用户是否是合适的人而不是黑客的最佳方法是什么?例如,在我的项目中,当用户登录时,我创建了一些带有某个数字的会话变量,然后在其他页面上我检查了这个会话变量,并根据它的值为用户提供了一些选项.
What is the best way to know if user is the right guy and not a hacker? For example in my project when user is logging in I create some session variable with some number and then on other pages I check this session variable and according to it's value give user some options.
那么黑客可以以某种方式更改此变量,以便服务器端允许他访问某些选项吗?
So can hacker change this variable somehow so server side will grant him access to some options ?
如果是这样,保持某些用户权限并将它们传递到不同页面的最佳方式是什么,以便服务器可以授予该用户一些选项?
If so what is the best way of holding some users rights and passing them to different pages , so server can grant that user with some options ?
推荐答案
为了更清楚地了解会话劫持,黑客劫持会话的几种方法让我对不同类型的会话劫持有所了解.
To understand Session Hijacking more clearly, there are several methods by which a hacker hijacks the session let me put some light on different types of session hijacking.
根据维基百科
进行会话劫持的主要方法有四种:
There are four main methods used to perpetrate a session hijack:
会话固定,攻击者将用户的会话 ID 设置为他已知的会话 ID,例如通过向用户发送包含特定会话 ID 链接的电子邮件.攻击者现在只需等待用户登录即可.
Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
会话侧劫,攻击者使用数据包嗅探来读取两方之间的网络流量以窃取会话 cookie.许多网站对登录页面使用 SSL 加密以防止攻击者看到密码,但一旦通过身份验证,就不会对网站的其余部分使用加密.这允许可以读取网络流量的攻击者拦截所有提交给服务器的数据或客户端查看的网页.由于此数据包含会话 cookie,因此即使密码本身没有泄露,他也可以冒充受害者.1 不安全的 Wi-Fi 热点特别容易受到攻击,因为共享网络的任何人通常都能够读取其他节点和接入点之间的大部分网络流量.
Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.1 Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
或者,具有物理访问权限的攻击者可以简单地尝试窃取会话密钥,例如通过获取用户计算机或服务器适当部分的文件或内存内容.
Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
跨站点脚本,攻击者诱使用户的计算机运行被视为可信的代码,因为它似乎属于服务器,从而允许攻击者获取 cookie 的副本或执行其他操作
Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations
虽然有几种解决方案可以阻止这种劫持,例如使用 SSL 或 https 的第二个劫持可以避免它.但是,如果您想为会话添加更多安全性,那么我遇到的一种解决方案是仅允许通过 Cookie 传递 seesionId,并生成通过 URL 传递的附加会话令牌.并且只有包含有效会话 toekn 的请求才能访问会话.
While there are several solution to stop this kind of hijacking for example for the second one using a SSL or https would be appropriate to avoid it. however if you want to add more security for your session then one solution i came across is by allowing passing of seesionId's via Cookies only, and generate and additional session token that is passed via URL. and only request that contain a valid Session toekn may access the session.
下面的示例演示了 Orielly PHP CookBook 所采用的示例.
Below is the example demonstrating the example taken by Orielly PHP CookBook.
ini_set('session.use_only_cookies', true);
session_start();
//Create a random salt value
$salt = 'Hjkhkjh9089&j98098';
$tokenstr = (str) date('W') . $salt;
//Create a md5 hash to be used for token.
$token = md5($tokenstr);
if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {
// prompt for login
exit;
}
$_SESSION['token'] = $token;
output_add_rewrite_var('token', $token);
现在 output_add_rewrite_var 做了什么,它通过 Get 方法向 url 重写机制添加了另一个名称/值对.在此处阅读有关该功能的更多信息.output_add_rewrite_var
Now what output_add_rewrite_var does it it adds another name/value pair to the url rewrite mechanism via Get method. read more about the function here. output_add_rewrite_var
要阅读有关会话安全的更多信息,我建议您阅读这篇文章 http://hungred.com/useful-information/solutions-session-attacks/
to read more about session security i suggest you read this article http://hungred.com/useful-information/solutions-session-attacks/
希望这有助于您了解会话的漏洞以及如何修复它.
hope this helps you in understanding the vulnerabilities of sessions and how to fix it.
这篇关于php中的会话安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
