我主要是一名 C++ 程序员,但我正在尝试学习一些 PHP。
显然,实现 Web 用户会话的方法是使用 $_SESSION 变量将用户的登录 ID 存储在 cookie 中。
某人不可能只修改他们的 cookie,给他们不同的权限或以不同的用户身份登录吗?
似乎这种身份验证机制只是让用户将他们的 ID 存储在一个文件中 - 然后只是相信他们不会更改它。
有什么可以防止这种情况发生吗?
谢谢!
问问题
36175 次
6 回答
67
PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.
What to do
This information is taken from "Session Management Basics" in the PHP manual, but simplified a bit. Some things may have been missed. Be sure to read through that as well.
-
- Prevents attackers from reading the session ID cookie
Enable
session.use_strict_mode:- Rejects uninitialized session IDs
- Ensures any sessions created are actually valid, so you can trust a prefix (eg, if the prefix is
$userId-)
Enable
session.use_only_cookiesand disablesession.use_trans_sid- Avoids user sharing session ID accidentally by sharing a URL with the session ID in it
- Prevents the session ID from appearing in a
Refererheader
Periodically regenerate the session ID and invalidate old session IDs shortly after regenerating
- If an attacker uses another user's session ID, regenerating will invalidate either the user's or attacker's session, depending on which makes the request that regenerates the ID. You can then track when someone tries to use a session that has been regenerated already, and invalidate the regenerated session at that point. The user will be able to log in, but the attacker (hopefully) won't be able to.
Optionally keep track of additional information in
$_SESSIONthat relates to the request (IP address, user agent string, etc)- If an attacker somehow gains access to a session ID, this can possibly detect the intrusion before the attacker can access any data. However, keep in mind that this may worsen the user experience. For example, the IP address may change when the user switches from a mobile network to Wi-Fi, and the user agent string may change when their browser automatically updates. Adjust the data checked according to the tradeoffs your site is willing to deal with.
于 2012-04-15T20:04:50.333 回答
25
不,会话存储在服务器上,用户无法访问。它用于存储整个站点的信息,例如登录会话。
下面是一个用法示例:
<?php
session_start();
if (password_verify($_POST['password'], $hash)) {
$_SESSION['auth'] = true;
}
?>
然后可以跨站点访问会话以检查用户是否已通过身份验证。
<?php
session_start();
if ($_SESSION['auth']) {
echo "You are logged in!";
}
?>
用户无法编辑这些值,但是会话的 ID 通过 cookie 作为长随机字符串存储在计算机上。如果未经授权的用户获得对这些字符串的访问权,他们就有可能访问该站点。
于 2012-04-15T19:48:39.050 回答
6
如果这样做:
$_SESSION['user'] = $username;
然后$username不会直接存储在cookie中。相反,将生成一个唯一的会话 ID 并将其存储在 cookie 中。
您存储的信息$_SESSION仅存储在服务器端,从未发送到客户端。在客户端的后续请求中,服务器将通过存储在 cookie 中的 id 加载会话数据session_start()。
它相对安全。唯一可能发生的事情是有人可以截获会话 ID,从而窃取真实用户会话。不过,HTTPS 可以防止这种情况发生。
于 2012-04-15T19:49:56.923 回答
6
回答这个问题需要两种方法:
PHP session IDs are hard enough to guess for most use cases. Not much harder or less hard than other widely used systems.
Trusting only a session cookie (and only the existance of a session cookie) seems not to go very far security-wise to me, no matter where this session cookie comes from - PHP or elsewhere.
So, in short: PHP sessions are as secure, as your use of them makes them be. This is true for any session-cookie-based system I know of.
于 2012-04-15T19:50:53.760 回答
1
Since you are a C++ programmer, you only need to know that the session visible to the client side is just a pointer on a different address space (the server) and, therefore, the session cannot be accessed from the client mode.
于 2017-01-21T15:32:05.950 回答
0
Whatever answer you get on this topic you are most likely not going to be satisfied because there are so many different opinions on the topic. There are even entire books written about sessions and PHP security in general.
The best answer you can hope to get here is probably "sessions are as safe as you want them to be". More work and a larger number of precautions will obviously make them safer to use but the implementation itself will consume more time. As with everything you are the one to measure how much safe is safe enough for your needs.
于 2012-04-15T20:05:16.083 回答