我的网站是用 PHP 构建的。我想知道如何测试会话是否中断或是否容易受到任何安全攻击。有没有可用的工具或者我必须手动完成?
问问题
69 次
1 回答
0
你能提供更多信息吗?
会话存储在您的服务器中,您可以远程查看/销毁会话
但在编程中,您可以使用检查所有会话
foreach ($_SESSION as $key=>$val)
echo $key." ".$val;
对于安全问题
为了确保您的会话安全,需要做几件事:
1.Use SSL when authenticating users or performing sensitive operations.
2.Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
3.Have sessions time out
4.Don't use register globals
5.Store authentication details on the server. That is, don't send details such as username in the cookie.
6.Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking.
7.You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
8.Lock down access to the sessions on the file system or use custom session handling
For sensitive operations consider requiring logged in users to provide their authenication details again
于 2012-11-15T07:58:15.413 回答