PHP 会话变量有多安全? [英] How safe are PHP session variables?
问题描述
我有一个登录脚本,可以根据用户"表中的数据验证用户名/密码.此外,我有一个角色"表,用于指定给定用户的访问级别.假设我使用的是安全登录脚本,那么在成功登录后对角色"表执行附加查询以发现用户的授权级别并将其存储到会话变量中时,是否存在任何安全漏洞?然后的想法是,在具有混合权限的任何页面上,我可以简单地查询会话变量以发现登录用户的授权级别.
I have a login script that verifies a username/password against data in a 'user' table. Furthermore, I have a 'roles' table that specifies the access level of a given user. Assuming I am using safe login scripts, are there any security holes in simply performing an additional query, upon successful login, against the 'roles' table to discover the user's authorization level and storing this into a session variable? The idea would then be that on any page with mixed authority, I could simply query the session variable to discover the logged in user's authorization level.
谢谢.
推荐答案
会话比 cookie 安全得多.但是仍然有可能窃取会话,因此黑客可以完全访问该会话中的任何内容.避免这种情况的一些方法是 IP 检查(它工作得很好,但 fi 非常低,因此本身不可靠)和使用 nonce.通常,对于随机数,您有一个每页令牌",以便每个页面检查最后一页的随机数是否与它存储的内容相匹配.
Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce. Typically with a nonce, you have a per-page "token" so that each page checks that the last page's nonce matches what it has stored.
在任一安全检查中,都存在可用性损失.如果您进行 IP 检查并且用户位于 Intranet 防火墙(或导致此问题的任何其他情况)之后,该防火墙没有为该用户保留稳定的 IP,则他们每次丢失 IP 时都必须重新进行身份验证.使用随机数,您会得到总是很有趣的点击返回会导致此页面中断"的情况.
In either security check, there is a loss of usability. If you do IP checking and the user is behind a intranet firewall (or any other situation that causes this) which doesn't hold a steady IP for that user, they will have to re-authenticate every time they lose their IP. With a nonce, you get the always fun "Clicking back will cause this page to break" situation.
但是通过 cookie,黑客可以通过使用相当简单的 XSS 技术来窃取会话.如果您将用户的会话 ID 存储为 cookie,他们也容易受到此攻击.因此,即使会话只能被可以进行服务器级黑客攻击的人穿透(这需要更复杂的方法,通常需要一定数量的权限,如果您的服务器是安全的),您仍然需要一些额外的验证级别根据每个脚本请求.你不应该同时使用 cookie 和 AJAX,因为如果 cookie 被盗,这会让你更容易完全去镇上,因为你的 ajax 请求可能无法对每个请求进行安全检查.例如,如果页面使用随机数,但页面从未重新加载,则脚本可能只检查该匹配项.如果 cookie 持有身份验证方法,我现在可以使用偷来的 cookie 和 AJAX 漏洞去镇上作恶.
But with a cookie, a hacker can steal the session simply by using fairly simple XSS techniques. If you store the user's session ID as a cookie, they are vulnerable to this as well. So even though the session is only penetrable to someone who can do a server-level hack (which requires much more sophisticated methods and usually some amount of privilege, if your server is secure), you are still going to need some extra level of verification upon each script request. You should not use cookies and AJAX together, as this makes it a tad easier to totally go to town if that cookie is stolen, as your ajax requests may not get the security checks on each request. For example, if the page uses a nonce, but the page is never reloaded, the script may only be checking for that match. And if the cookie is holding the authentication method, I can now go to town doing my evilness using the stolen cookie and the AJAX hole.
这篇关于PHP 会话变量有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
