is session security in PHP? _php Tips

Doing PHP development for such a long time, really did not really pay attention to security issues, each time is to complete the project mainly, recently saw an article on the internet about security, after reading to notice that their previous projects are very large security vulnerabilities, so picked a project tested, found it easy to recruit children. Here I will share a test example of how unsafe the session in PHP is, and how to enhance its security in the project.
For the principle of the session mechanism, there are many good articles on the Internet to introduce, we can check. Below is a direct share of the test examples.
This test example is mainly a login page, the successful login can modify the password, so a simple function.
The interface is as follows

The first is to use function session_start () to open the session at the entry point of the project. So when the client initiates the request, an identity is generated, which is SessionID. stored in the client by means of cookies, each communication between the client and the server is based on this sessionid for identification.
After the login is successful, the user ID, user name is saved in session

$_session[' userid '] = User ID
$_session[' uname ' = user name

All subsequent operations are checked to see if the user is logged in by determining whether $_session[' userid ' exists. The code is as follows:

if (Isset ($_session[' userid ')) return true;

The call to modify the password interface is transferred to the server via an AJAX post.

$.post ("interface *******",
  {
     oldpass:oldpass,
     newpass:newpass,
     userid:uid,
  },
  function (data) {
     data = eval (' (' +data+ ') ');
     $ ('. Grant_info '). html (Infos[data.info]). Show ();

Note that I write this code in the HTML page, so if you see the HTML code, you will know the interface address.
The interface to modify the password is implemented in this way, first of all, to determine whether the user is logged in, if the password will be modified operation.
The implementation of the test example is probably the way it is described above.
using SessionID attacks
1. The first is to get SessionID, of course, there are many ways attackers get this logo, because my level is limited, as to how to get me here without introducing. We can simulate a normal access to this project, and then through the browser to view the SessionID, so as to get a legitimate user identity. You can see this item ID in the request header

 accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-encoding:gzip, deflate
accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
connection:keep-alive
cookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7;
Host: Hu
Referer:
user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/41.0 

After getting SessionID, if this user login is successful, then the server session will have this user's information.
2. After obtaining the SessionID, if the attacker already knows the interface to modify the password, it can modify the user's password directly. If the attacker has not yet received an interface address, you can find the interface address by looking at the page code. You can use the following command

#curl--cookie "PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7" page address

As we said above, the AJAX code in this example is written in an HTML page, so you can view the interface address in this page
Some of the HTML code is as follows

3. After the interface can be Curl analog post to send data to modify the password
Commands are as follows

# Curl--cookie "Phpsessid=2eiq9hcpu3ksri4r587ckt9jt7"-D oldpass=111111-d newpass=000000-d userid= User ID interface address

If this user is logged in, the attacker can modify the user's password by executing the above command.
Solving method
For attacks in these ways, we can enhance their security by complicating the verification approach. One way is to use the User-agent item in the request header to enhance its security

 accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-encoding:gzip, deflate
accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
connection:keep-alive
cookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7;
Host: Hu
Referer:
user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/41.0

At the beginning of the project we just used the session_start () function to open the session. Now we can add this code under Session_Start ()

$_session[' user_agent '] = MD5 ($_server[' http_user_agent '));

Then, each time you decide whether to log in, add a judgment condition as follows

If (Isset ($_session[' userid ')) && $_session[' user_agent '] = = MD5 ($_server[' http_user_agent ']) {return
    true;
}

This will avoid the simple attack described above.
Summarize:
Of course, the actual attack is far from so simple, first in the acquisition of SessionID This step is more difficult, and then the interaction with the server to encrypt the code as much as possible to avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and not eliminate the attack. There are a variety of ways to attack, here is just a simple way to provide only one idea, but the principle is the same, in the actual situation can be based on the actual situation to enhance the security of our code.

Here just to share their work in the problems encountered, the right to be a good point, I hope that we can further study.