Proper session hijacking prevention in PHP
I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:
// **PREVENTING SESSION HIJACKING**
-
Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration:
session_id(sha1(uniqid(microtime()));This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from
/dev/urandomwhich is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like
?is_hacker=False, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.讨论(0)
加载中...
- 热议问题