Session hijacking and PHP

早过忘川 提交于 2019-11-26 10:59:35

问题


Lets just consider the trust that the server have with the user.

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)

Session sidejacking: SSL encryption for the entire site.

Am I safe ?


回答1:


Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".

You should use this code in a php header file:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();

This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).




回答2:


I would also suggest storing the user agent and ip information in the session, and verifying it on each request. It's not bullet-proof, but it is a fairly significant increase in robustness. While UA forging is really easy, IP forging, while possible, is MUCH harder... But you may have issues with users who are behind a round-robin IP system such as AOL users...




回答3:


the best practice i have ever found is save the session data to database or a text file. the database will have user agent, and IP record and check it every request for ensure that the session never been hijacked by other.

for example how session saved at database you can see the implementation at codeigntier session library. in my opinion this way fairly save to prevent someone to hijact session.



来源:https://stackoverflow.com/questions/3517350/session-hijacking-and-php

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!