0

我正在尝试会话。

我试图让它成为一个安全的会话,我让用户只有在通过加盐和散列验证后才收到一个等于 5 的“signin”会话变量。

 if($passwordhash == $tablehash)
    {
            session_start();
            $_SESSION['signin'] = 5;
            header("Location: /~cssgf3/cs3380/lab7/home.php");

然后我有它被重定向到通过此步骤进行验证的页面:

session_start();

$sessionValue = 5;//$_SESSION['sessionValue'];
$userSession = $_SESSION['signin'];

if($userSession == $sessionValue)
{

我很好奇这是否是验证会话的适当方式。在这一点上我不太担心安全性,但我感兴趣的是这是否安全,如果不安全,是否有一种简单的方法来解决它?

4

2 回答 2

2

Very broad question. To answer in simple terms, yes, that's the usual approach. It's usually the things like following that needs to be made secure

  1. Is your code SQL injection safe? Can someone bypass the login?
  2. Can someone use a bruteforce attack?
  3. Is your code XSS safe?
  4. Is your code CSRF safe?
  5. Is the session cookie stored securely? Do you need to use HTTPS only or secure properties
  6. Is it safe against rainbow-table attacks? Are you using salting when storing passwords?

List can go on and of course these depends on the level of security needed.

Also, if the page is user specific, you also need to verify each action can be performed on the given object. For example if it's an order, is the order owned by the current logged in user, not just if a user is logged in.

Hope this helps.

于 2012-10-23T00:43:47.113 回答
1

从广义上讲,是的,但是如果不了解更多您的代码,就很难说。

您最好为用户分配一个唯一值 - 而不是INT5 的值。

于 2012-10-23T00:38:20.113 回答