会话劫持和 PHP [英] Session hijacking and PHP

问题描述

让我们考虑一下服务器对用户的信任.

Lets just consider the trust that the server have with the user.

会话固定:为了避免固定，我仅在身份验证 (login.php) 中使用 session_regenerate_id()

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)

会话劫持:整个站点的 SSL 加密.

Session sidejacking: SSL encryption for the entire site.

我安全吗?

推荐答案

阅读 OWASP A3-损坏的身份验证和会话管理.另请阅读 OWASP A5-CSRF，有时也称为会话骑术".

Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".

您应该在 php 头文件中使用此代码:

You should use this code in a php header file:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

此代码可防止会话固定.它还有助于防止 xss 访问 document.cookie，这是 的一种方式可能会发生会话劫持.强制使用仅限 HTTPS 的 cookie 是解决 OWASP A9-Insufficient Transport Layer Protection.这种使用 HTTPS 的方式有时被称为安全 cookie"，这是一个糟糕的名字.另外 STS 是一个非常酷的安全功能，但是并非所有浏览器都支持它(但).

This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).

这篇关于会话劫持和 PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！