Is it safe to use the session in PHP?

is the session in PHP safe? PHP is just for us to provide a session of the implementation, the subsequent security work requires the programmer's own flexibility to master, so that PHP programming is really flexible, need to understand the security of the session in PHP friends can refer to

PHP development So long, and really did not really pay attention to the issue of security, each time is to complete the project-based, recently saw an article on the Internet on security, after reading only to notice that their previous projects there are a large security loopholes, so picked a project to test, found that it is easy to recruit children. Here I'll share an example of a test I've written to illustrate how the session in PHP is unsafe and how to enhance its security in the project.
For the principle mechanism of the session, there are a lot of good articles on the Internet to introduce, we can consult on their own. Here is an example of a direct sharing test.
The example of this test is mainly a login page, after the successful login can change the password, just such a simple function.
The interface is as follows

First, the session is opened using the function session_start () at the entrance of the project. When the client initiates the request, it generates an identity, which is SessionID. Cookies are stored on the client side, and each communication on the client and the server is identified by this sessionid.
After the login is successful, the user ID and user name will be stored in the session.

$_session[' userid '] = user id$_session[' uname '] = user name

All subsequent operations are checked to see if the user is logged in by judging whether $_session[' UserID ' exists. The code is as follows:

if (Isset ($_session[' userid ')) return true;

The call to modify the password interface is to transfer the data to the server via Ajax post.

$.post ("interface *******",  {     oldpass:oldpass,     newpass:newpass,     userid:uid,  },  function (data) {     data = eval (' (' +data+ ') ');     $ ('. Grant_info '). html (Infos[data.info]). Show ();  });

Note that I write this code in the HTML page, so that if you see the HTML code, you will know the interface address.
The interface to modify the password is implemented, the first is to determine whether the user is logged in, if the login will be password modification operation.
The implementation of the test example is probably the one described above.
Using SessionID attacks
1. The first is to get SessionID, of course the attacker gets this logo in a lot of ways, because my level is limited, as to how to get me here not to do the introduction. We can simulate the normal access to the project and then view the SessionID through the browser to get a legitimate user ID. You can see this item ID in the request header

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8accept-encoding:gzip, Deflateaccept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3connection:keep-alivecookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7; Host: ******referer: ******user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/41.0

After getting SessionID, if this user login is successful, then the server session will have this user's information.
2. After getting to SessionID, if the attacker already knows the interface to change the password, the user's password can be modified directly. If an attacker has not yet received an interface address, you can find the interface address by looking at the page code. You can use the following command

#curl--cookie "PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7" page address

As we said above, the AJAX code in this example is written in an HTML page, so you can see the interface address on this page
Some HTML code is as follows

3. After getting the interface, you can use the curl to simulate post to send data to modify the password
The command is as follows

# Curl--cookie "Phpsessid=2eiq9hcpu3ksri4r587ckt9jt7"-D oldpass=111111-d newpass=000000-d userid= User ID interface address
If the user is already logged in, the attacker can modify the user's password by executing the above command.
Workaround
For attacks of this type, we can enhance the security by complicating the authentication method. One way is to use the User-agent item in the request header to enhance its security

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8accept-encoding:gzip, Deflateaccept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3connection:keep-alivecookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7; Host: ******referer: ******user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/41.0
At the beginning of the project, we used the session_start () function to open the session initially. Now we can add this code under Session_Start ()

$_session[' user_agent ' = MD5 ($_server[' http_user_agent ']);
Then, each time you decide whether to log in, add the following criteria

If (Isset ($_session[' userid ')) && $_session[' user_agent '] = = MD5 ($_server[' http_user_agent ')) {    return true;}
This avoids the simple attack described above.
Summarize:
Of course, the actual attack is far from so simple, first in the acquisition of SessionID This step is more difficult, and then the server interface to interact with the code as much as possible to avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and not eliminate the attack. There are many ways to attack, but here is a simple way to provide only one idea, but the principle is the same, in the actual situation can be based on the actual situation to enhance the security of our code.

Here is just to share their work in the problems encountered, the right to be a point, I hope you can further study further.