PHP 中正确的会话劫持预防 [英] Proper session hijacking prevention in PHP

问题描述

我知道这个话题已经讨论了很多，但我还有一些具体问题没有得到解答.例如:

I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:

// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');

// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');

<小时>

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);

<小时>

session_start();

// If the user is already logged
if (isset($_SESSION['uid'])) {
    // If the IP or the navigator doesn't match with the one stored in the session
    // there's probably a session hijacking going on

    if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) {
        // Then it destroys the session
        session_unset();
        session_destroy();

        // Creates a new one
        session_regenerate_id(true); // Prevent's session fixation
        session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
    }
} else {
    session_regenerate_id(true); // Prevent's session fixation
    session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
    // Set the default values for the session
    setSessionDefaults();
    $_SESSION['ip'] = getIp(); // Saves the user's IP
    $_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator
}

所以，我的问题是

• ini_set 是否提供了足够的安全性?
• 可以保存用户的IP和导航器然后检查每次加载页面时检测会话劫持?这会不会有任何问题?
• session_regenerate_id() 的使用是否正确?
• session_id() 的使用是否正确?

• do the ini_set's provide enough security?
• is it okay to save the user's IP and navigator and then check it every time the page is loaded to detect a session hijack? Could this be problematic in any way?
• is the use of session_regenerate_id() correct?
• is the use of session_id() correct?

推荐答案

你的配置很棒.您肯定阅读了有关如何锁定 php 会话的信息.但是，这行代码否定了您的 php 配置提供的许多保护:session_id(sha1(uniqid(microtime()));

Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration: session_id(sha1(uniqid(microtime()));

这是一种特别糟糕的生成会话 ID 的方法.根据您的配置，您正在从 /dev/urandom 生成会话 ID，这是一个很棒的熵池.这将比 uniqid() 更随机，uniqid() 已经主要是一个时间戳，向这个混合添加另一个时间戳根本没有帮助.尽快删除这行代码.

This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.

检查 IP 地址是有问题的，IP 地址因合法原因而更改，例如用户是否在负载平衡器或 TOR 后面.用户代理检查是没有意义的，就像有一个像 ?is_hacker=False 这样的 GET 变量，如果攻击者有会话 ID，他们可能有用户代理，如果他们没有，这个值是真的很容易蛮力.

Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.

这篇关于PHP 中正确的会话劫持预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！