Codeigniter会话安全 [英] Codeigniter session security
问题描述
如何提高我的会话的安全性?
How can I increase the security of my sessions?
$this->session->userdata('userid')
我一直在为我的ajax调用扔这个坏男孩。有些情况下我没有。然后我是,这是真的安全使用id从DOM?如果DOM被改为破解用户帐户数据怎么办?所以,然后我就像我猜想,任何时候一个用户正在做一些与他们的id相关的事情,只有会话应该引用。
I've been throwing this little bad boy around for my ajax calls. Some cases I haven't. Then I was like, is this really secure using id from the DOM? what if the DOM is changed to hack user accounts data? So then I was like I guess anytime a user is doing something relating to their id, only sessions should be referenced. Am I right?
参考如下:
$this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));
然后我读这个:
存储在用户cookie中的会话数据数组包含一个
会话ID,除非将会话数据存储在数据库中,否则没有
方法来验证它。对于需要很少或没有
安全性的某些应用程序,可能不需要会话ID验证,但是如果您的
应用程序需要安全性,则必须进行验证。否则,用户可以通过修改其Cookie来恢复
旧会话。
http://codeigniter.com/user_guide/libraries/sessions.html
我不会存储财务数据,但我不希望我的网站上的任何数据损坏。 SO使用会话验证吗?此验证的开销将是多少?会话如何被黑客攻击?会话安全需要注意什么?
I'm not going to be storing financial data but I don't want any data on my site corrupted ever. Does SO use session validation? How much overhead will this validation cost? How would a session be hacked? What are some things to look out for with session security?
推荐答案
使用CodeIgniter会话与数据库将是相当安全的。你只是不必信任用户给出的输入。即使您使用的是AJAX,CodeIgniter会话也会像任何标准调用一样工作,所以同样的安全措施。
Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work just like any standard call, so the same security goes on.
CodeIgniter会话会发生什么,存储cookie,并且每次用户执行将改变cookie的内容的动作时,首先将其与先前的cookie进行比较。
What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.
如果用户改变在浏览器中的会话cookie的内容,CodeIgniter将注意到下一次服务器调用,并为用户创建一个新的会话,基本上记录他。
If the user changes the content of the session cookie in the browser, CodeIgniter will notice on the next server call, and create a new session for the user, basically logging him out.
CodeIgniter doesn' t真的需要存储在用户浏览器中的cookie中的数据,只要你使用
CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as you're using
$this->session->userdata('userid');
您将获得可信的服务器端数据。用户不能更改。此外,cookie可以加密,你应该加密它。只需查看CodeIgniter的config.php。
you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.
会话数据还有其他一些保护:短刷新超时(通常为300秒),它检查IP是否改变,以及如果浏览器更改。换句话说,在最坏的情况下,欺骗会话数据的唯一方法是通过具有相同版本的浏览器,具有相同的IP,直接访问计算机来复制/粘贴cookie,并完成这个
There are several other protections around the session data: the short refresh timeout (usually 300 seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.
所以,注意坐在你身边的人!
So, watch out for the guy sitting beside you!
这篇关于Codeigniter会话安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
