PHP 会话安全 [英] PHP Session Security

问题描述

使用 PHP 维护负责任的会话安全有哪些指南?网络上到处都是信息，现在是时候将它们全部集中在一个地方了！

What are some guidelines for maintaining responsible session security with PHP? There's information all over the web and it's about time it all landed in one place!

推荐答案

为了确保您的会话安全，需要做几件事:

There are a couple of things to do in order to keep your session secure:

1. 在对用户进行身份验证或执行敏感操作时使用 SSL.
2. 每当安全级别发生变化(例如登录)时重新生成会话 ID.如果您愿意，您甚至可以为每个请求重新生成会话 ID.
3. 会话超时
4. 不要使用注册全局变量
5. 在服务器上存储身份验证详细信息.也就是说，不要在 cookie 中发送用户名等详细信息.
6. 检查$_SERVER['HTTP_USER_AGENT'].这为会话劫持增加了一个小障碍.您还可以检查 IP 地址.但这会给由于多个互联网连接上的负载平衡等而更改 IP 地址的用户带来问题(在我们这里的环境中就是这种情况).
7. 锁定对文件系统上的会话的访问或使用自定义会话处理
8. 对于敏感操作，请考虑要求登录用户再次提供其身份验证详细信息

1. Use SSL when authenticating users or performing sensitive operations.
2. Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
3. Have sessions time out
4. Don't use register globals
5. Store authentication details on the server. That is, don't send details such as username in the cookie.
6. Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking. You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
7. Lock down access to the sessions on the file system or use custom session handling
8. For sensitive operations consider requiring logged in users to provide their authenication details again

这篇关于PHP 会话安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！