安全地创建和销毁PHP登录会话 [英] Securely creating and destroying login sessions in PHP
问题描述
这是我的code在网站上控制验证。我不知道如果我的逻辑是正确的。如果用户名和密码是否正确下面发生了:
This is my code to control authentication on a website. I'm not sure if my logic is correct. If the username and password are correct the following happen:
if(session_start())
{
session_regenerate_id(true);//without this the session ID will always be the same
$_SESSION['loggedInUser'] = $uName;
echo 'You are now logged in';
}
else echo 'Right password/username but session failed to start';
后续页检查是否该用户是通过
Subsequent pages check to see if the user is logged in by
session_start();
if(isset($_SESSION['loggedInUser'])
{
//rest of page
}
else echo 'you must log in';
在注销我有
session_start();//if I don't have this the next line produces an error
session_unset();//destroys session variables
session_destroy();//ends session
我红不叫上登出的session_start(),但如果我没有在那里我得到的消息试图摧毁未初始化会话。我该如何解决这个问题?
I red not to call session_start() on logout but if I don't have it there I get the message Trying to destroy uninitialized session. How can I fix this?
时的推荐或不创建基于IP地址和用户代理指纹?我红是不好的,因为多台计算机可以共享同一个IP地址,如果他们在,例如计算机实验室,所有的流量都通过代理,并在同一台计算机可以改变它的IP地址,如果它是动态的。在另一方面,多久会出现这种情况?这可能是值得的几个受阻有效用法为prevent所有会话劫持。
Is it recommend or not to create a finger print based on the IP address and user agent? I red it's bad because multiple computers can share the same IP address if they are in, for example a computer lab, and all the traffic goes through a proxy and the same computer could change it's IP address if it's dynamic. On the other hand, how often does this happen? It may be worth the few blocked valid uses to prevent all session hijacking.
即使你可以推荐有信誉的文章中,我应该阅读了解这个话题,将是巨大的,谢谢。
Even if you could recommend reputable articles I should read to learn about this topic that would be great, thanks.
5/6的答案有票小于0 :(可下调选民发表评论,所以我知道要寻找什么出来?
5/6 answers have votes less than 0 :( Could down voters comment so I know what to look out for?
推荐答案
首先,你应该阅读 Mozilla的WebAppSec防伪编码指南 - 会话管理和 OWASP A3残破的认证和会话管理的。您可以配置PHP的会话处理来满足这些要求。
First of all you should read the Mozilla WebAppSec Security Coding Guideline - Session Management and OWASP A3-Broken Authentication and Session Management. You can configure PHP's session handler to meet these requirements.
您应该prevent第一个缺陷是<一个href=\"https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection\">A9-Insufficient传输层保护。总之,你不希望有人使用像Firesheep 工具劫持会话。这种攻击可以通过强制浏览器只发送会话ID通过HTTPS pvented $ P $:
The first flaw you should prevent is A9-Insufficient Transport Layer Protection. In short you do not want someone to hijack a session using a tool like Firesheep. This attack can be prevented by forcing the browser to only send the session id over https:
session.cookie_secure=1
您可以prevent通过设置
You can prevent an attacker from obtaining the session id using XSS by setting the httponly flag:
session.cookie_httponly=1
您的总是想用一个cookie来存储您的会话ID。如果会话ID可以使用GET或POST变量来传递攻击者可以使用会话固定攻击劫持会话。思考这个攻击的另一种方法是,你不希望攻击者能够为其他用户创建一个会话:
You always want to use a cookie to store your session id. If the session id can be passed using a GET or POST variable then an attacker could use Session Fixation attack to hijack a session. Another way of thinking about this attack is that you don't want an attacker to create a session for another user:
session.use_cookies=1
session.use_only_cookies=1
接下来,你要确保你有熵ATLEAST 128位来自CSPRNG。在* nix系统可以使用的/ dev / urandom的:
session.entropy_file="/dev/urandom"
session.entropy_length=16
会话处理程序是不是一切。你仍然需要担心跨站请求伪造攻击(又名CSRF或会话骑马),以及跨上门脚本(XSS)。 XSS可用于战胜CSRF保护(即使使用http_only饼干!)。 点击劫持也可以被攻击者用来执行未经授权的操作。
The session handler isn't everything. You still need to worry about Cross-Site Request Forgery attacks (aka CSRF or "Session Riding"), and Cross-Site Scripting (XSS). XSS can be used to defeat CSRF protection (even with http_only cookies!). Clickjacking can also be used by an attacker to perform unauthorized actions.
在您设置这些配置选项,只需拨打在session_start()。至于破坏会议呼叫 session_destroy()当用户注销时,它就是这么简单!
After you set these configuration options, just call session_start(). As for destroying the session call session_destroy() when the user logs out, its that simple!
这篇关于安全地创建和销毁PHP登录会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
