PHP 会话劫持 [英] PHP Session Hijacking
问题描述
我有一个关于 PHP 会话劫持的问题.我今天早上一直在阅读它,但我有一些问题在我阅读的文档中没有得到清楚的回答.
I have a question regarding session hijacking in PHP. I have been reading about it this morning and I have a few questions that just weren't answered clearly in the documentation I read.
用户可以更改他们在我网站上的会话吗?即如果他们在登录时有 X 的会话,如果他们愿意,他们可以将该会话更改为 Y 或 Z 吗?
Can a user change their session on my website? i.e. if they have a session of X when the login, can they change that session to Y, or Z, if they so choose?
我以为会话是由浏览器设置的,无法更改,但是我一直在阅读的所有会话劫持内容都让我产生了一些疑问.
I thought that sessions were set by the browser and they couldn't be changed, but all of this session hijacking stuff I've been reading has put some doubt in my mind.
推荐答案
术语会话"在服务器和浏览器中的含义不同.浏览器会话充其量只能微弱地连接到服务器会话.会话劫持"是指服务器会话.
The term "session" is overloaded to mean different things on the server and in the browser. Browser sessions are at best tenuously connected to server sessions. "Session hijacking" refers to server sessions.
服务器端,会话具有 ID(在客户端和服务器之间传递)、内容(存储在服务器上)和潜在的其他属性,例如上次访问时间.会话 ID 通常作为 cookie 传递.在 PHP 中,cookie 的默认名称是PHPSESSID".如果 cookie 不可用,PHP 将(可选)使用同名的查询字符串参数(PHPSESSID").此 cookie(或查询参数)可以轻松更改,因此会话标识符也可以更改.
Server-side, a session has an ID (which is passed between the client and server), content (stored on the server) and potentially other properties, such as last access time. The session ID is usually passed as a cookie. In PHP the default name for the cookie is "PHPSESSID". If cookies aren't available, PHP will (optionally) use a query string parameter of the same name ("PHPSESSID"). This cookie (or query param) can easily be changed and therefore the session identifier can be changed too.
会话的内容(即包含用户的登录状态)不能被客户端更改,数据存储在服务器上,只能由服务器上的 PHP 脚本更改服务器.请注意,在共享托管环境(由其他服务或用户共享)中,如果使用默认会话存储目录 (/tmp),会话可能会被覆盖.为了防止这种情况,要么通过 session_set_save_handler() 或使用 session.save_path 具有适当的目录权限设置(最好是 700,这意味着只有所有者(PHP 用户)可以读取和写入它).
The contents of a session (i.e. containing the login state of a user) cannot be changed by the client, the data is stored on the server and can only be changed by a PHP script on that server. Note that in a shared-hosting environment (shared by other services or users), the sessions can be overwritten if using the default session storage directory (/tmp). To protect against that, either use a database through session_set_save_handler() or set a custom session directory using session.save_path with the proper directory permissions set (preferably 700 which means that only the owner (the PHP user) can read and write to it).
为了防止会话劫持,您必须有其他方法来针对会话识别用户.这可以是用户代理、IP 地址或其他 cookie.前面提到的方法只是解决方法,防止会话 cookie 被窃取的最佳方法是在涉及会话时使用 HTTPS.不要忘记使用 session_set_cookie_params()
To protect against session hijacking, you must have other ways to identify the user against a session. This can be a user agent, IP address or another cookie. The previously mentioned methods are just workarounds, best way to protect against stealing of the session cookie is by using HTTPS if a session is involved. Do not forget to set the httponly flag to true using session_set_cookie_params()
客户端,会话"再次过载并在各种上下文中使用(例如会话管理器,在浏览器打开时恢复打开的页面,会话 cookie 和 sessionStorage).我们可以通过说浏览器会话由一组视图及其相关数据组成来尝试将这些含义结合起来(这绝不是标准含义).(视图"我的意思是标签式浏览器中的选项卡和非标签式浏览器中的窗口;DOM window 对象向 JS 公开一个视图.)每个视图都有一个历史记录、一个当前页面和页面数据.同一域中页面的页面数据在会话中的视图之间共享;如果两个页面位于不同的域或不同的会话中,则它们不会共享数据.退出浏览器会关闭所有打开的会话,可能会保存部分会话(例如历史记录、当前页面、sessionStorage),以便会话管理器可以重新打开它们.会话 cookie 是在会话关闭时被丢弃的 cookie;换句话说,会话 cookie 是非持久的.尽管会话 cookie 可能持有会话 ID,但这两个概念是正交(意义 4;会话 cookie可以保存会话 ID 以外的东西,并且会话 ID 可以存储在持久性 cookie 中).
Client-side, "session" is again overloaded and used in various contexts (e.g. session managers, which restore open pages when a browser is opened, session cookies and sessionStorage). We can try to combine these meanings (into what is by no means a standard one) by saying a browser session consists of a collection of views and their associated data. (By "view" I mean roughly tabs in tabbed browsers and windows in non-tabbed browsers; the DOM window object exposes a view to JS.) Each view has a history, a current page and page data. Page data for pages in the same domain is shared between views in a session; if two pages are in different domains or different sessions, they don't share data. Exiting the browser closes all open session(s), possibly saving part of the session(s) (e.g. histories, current pages, sessionStorage) so that a session manager can re-open them. Session cookies are cookies that are discarded when a session is closed; in other words, session cookies are non-persistant. Though a session cookie may hold a session ID, the two concepts are orthogonal (sense 4; session cookies can hold things other than session IDs, and session IDs can be stored in persistant cookies).
两个不同的视图是否在同一个集合中取决于浏览器.例如,一个浏览器可能认为一个会话由一个窗口中的所有选项卡组成;单独的窗口是单独的会话.IE8允许用户通过新建会话"菜单项创建新会话.否则,将在同一会话中打开新窗口和选项卡.隐私模式还会创建新会话.
Whether two different views are in the same collection depends on the browser. For example, one browser may consider a session to consist of all tabs within a single window; separate windows are separate sessions. IE8 lets users create new sessions via the "New session" menu item. Otherwise, new windows and tabs are opened in the same session. Privacy modes also create new sessions.
总而言之,浏览器会话确实是由浏览器设置的,尽管它为用户提供了各种控制浏览器会话的方法:创建新会话、通过浏览、保存和恢复会话来更改视图中的历史记录和当前页面.用户甚至可以通过编辑保存在磁盘上的会话来更改会话数据,尽管这不是浏览器提供的功能.这些都与会话劫持无关.服务器会话由服务器创建和管理,但用户可以(尝试)通过更改浏览器传回服务器的会话 ID 来切换服务器会话,这是会话劫持的基础.
In summary, browser sessions are indeed set by the browser, though it provides users various means of controlling browser sessions: creating new sessions, changing the history and current page in a view by browsing, saving and restoring sessions. A user could even change session data by editing sessions saved on disk, though this isn't a feature afforded by the browser. None of this has anything to do with session hijacking. Server sessions are created and managed by the server, but users can (attempt to) switch server sessions by changing the session ID their browser passes back to the server, which is the basis for session hijacking.
另请参阅PHP 会话固定/劫持.
这篇关于PHP 会话劫持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
