PHP:防止会话劫持与作为cookie存储的令牌? [英] PHP: Preventing Session Hijacking with token stored as a cookie?

查看:626
本文介绍了PHP:防止会话劫持与作为cookie存储的令牌?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在PHP中使用RIA。为了防止会话劫持,我引入了一个令牌,在登录时生成,基于一个盐,ISO-8601周数和用户的IP。

I'm working on an RIA in PHP. To try to prevent session hijacking I introduced a token, generated at login, based off a salt, ISO-8601 week number and the user's IP. 

$salt      = "blahblahblah";
$tokenstr  = date('W') . $salt . $_SERVER['REMOTE_ADDR'];
$token_md5  = md5($tokenstr);
define("token_md5", $token_md5);

目前,它通过GET或POST传递每个请求,但我想知道我是否可以避免通过提供它作为一个cookie,因为它取决于用户的IP。我只是在学习课程,所以我想知道是否有任何安全问题这样做?这是一个坏主意吗?

Currently, it's passed by GET or POST with every request, but I was wondering if I could avoid this by offering it as a cookie, since it is dependent on the user's IP. I'm just now learning sessions, so I was wondering if there are any security concerns with doing that? Is it a bad idea?

推荐答案

用户保存的任何数据都可能被盗;访问者发送的任何数据都可能被欺骗。在会话打开时,更好地将远程IP存储在 $ _ SESSION 中,并将远程IP与每个请求进行比较。如果他们不匹配,这可能是一个劫持。生成新ID并让用户重新登录。

Any data the user keeps can be stolen; any data a visitor sends could be spoofed. Better to store the remote IP in $_SESSION when the session is opened, and compare the remote IP with every request. If they don't match, it's probably a hijack. Generate a new ID and have the user log back in.

这篇关于PHP:防止会话劫持与作为cookie存储的令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆