is the session in PHP safe? , phpsession security _php Tutorial

Source: Internet
Author: User
Tags php session php example

is the session in PHP safe? , phpsession Security


PHP development So long, and really did not really pay attention to the issue of security, each time is to complete the project-based, recently saw an article on the Internet on security, after reading only to notice that their previous projects there are a large security loopholes, so picked a project to test, found that it is easy to recruit children. Here I'll share an example of a test I've written to illustrate how the session in PHP is unsafe and how to enhance its security in the project.
For the principle mechanism of the session, there are a lot of good articles on the Internet to introduce, we can consult on their own. Here is an example of a direct sharing test.
The example of this test is mainly a login page, after the successful login can change the password, just such a simple function.
The interface is as follows

First, the session is opened using the function session_start () at the entrance of the project. When the client initiates the request, it generates an identity, which is SessionID. Cookies are stored on the client side, and each communication on the client and the server is identified by this sessionid.
After the login is successful, the user ID and user name will be stored in the session.

$_session[' userid '] = user id$_session[' uname '] = user name

All subsequent operations are checked to see if the user is logged in by judging whether $_session[' UserID ' exists. The code is as follows:

if (Isset ($_session[' userid ')) return true;

The call to modify the password interface is to transfer the data to the server via Ajax post.

$.post ("interface *******",  {     oldpass:oldpass,     newpass:newpass,     userid:uid,  },  function (data) {     data = eval (' (' +data+ ') ');     $ ('. Grant_info '). html (Infos[data.info]). Show ();  });

Note that I write this code in the HTML page, so that if you see the HTML code, you will know the interface address.
The interface to modify the password is implemented, the first is to determine whether the user is logged in, if the login will be password modification operation.
The implementation of the test example is probably the one described above.
Using SessionID attacks
1. The first is to get SessionID, of course the attacker gets this logo in a lot of ways, because my level is limited, as to how to get me here not to do the introduction. We can simulate the normal access to the project and then view the SessionID through the browser to get a legitimate user ID. You can see this item ID in the request header

After getting SessionID, if this user login is successful, then the server session will have this user's information.
2. After getting to SessionID, if the attacker already knows the interface to change the password, the user's password can be modified directly. If an attacker has not yet received an interface address, you can find the interface address by looking at the page code. You can use the following command

#curl--cookie "PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7" page address

As we said above, the AJAX code in this example is written in an HTML page, so you can see the interface address on this page
Some HTML code is as follows

... var uid = $ (". UserID"). Val (); $.post ("/user/user/modifypass_do",     {        oldpass:oldpass,        Newpass:newpass,        Userid:uid,     },    function (data) {      data = eval (' (' +data+ ') ');      $ ('. Grant_info '). html (Infos[data.info]). Show ();    );......

3. After getting the interface, you can use the curl to simulate post to send data to modify the password
The command is as follows

# Curl--cookie "Phpsessid=2eiq9hcpu3ksri4r587ckt9jt7"-D oldpass=111111-d newpass=000000-d userid= User ID interface address

If the user is already logged in, the attacker can modify the user's password by executing the above command.
Workaround
For attacks of this type, we can enhance the security by complicating the authentication method. One way is to use the User-agent item in the request header to enhance its security

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8accept-encoding:gzip, Deflateaccept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3connection:keep-alivecookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7; Host: ******referer: ******user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/41.0

At the beginning of the project, we used the session_start () function to open the session initially. Now we can add this code under Session_Start ()

$_session[' user_agent ' = MD5 ($_server[' http_user_agent ']);

Then, each time you decide whether to log in, add the following criteria

If (Isset ($_session[' userid ')) && $_session[' user_agent '] = = MD5 ($_server[' http_user_agent ')) {    return true;}

This avoids the simple attack described above.
Summarize:
Of course, the actual attack is far from so simple, first in the acquisition of SessionID This step is more difficult, and then the server interface to interact with the code as much as possible to avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and not eliminate the attack. There are many ways to attack, but here is a simple way to provide only one idea, but the principle is the same, in the actual situation can be based on the actual situation to enhance the security of our code.

Here is just to share their work in the problems encountered, the right to be a point, I hope you can further study further.

Articles you may be interested in:

    • PHP Session Expiration Session.gc_maxlifetime
    • Analysis of security problems in PHP session
    • Security analysis of PHP session
    • Simple way to make your background login more secure (PHP plus session validation)
    • How to keep the session in PHP the principle and scheme introduction
    • Teach you how to use the PHP session
    • Destruction of Session Variables in PHP
    • Session of the working mechanism of the detailed and security issues (PHP example explained)
    • How to invoke session data in a thinkphp template
    • How to set the session expiration time accurately in PHP

http://www.bkjia.com/PHPjc/1094755.html www.bkjia.com true http://www.bkjia.com/PHPjc/1094755.html techarticle is the session in PHP safe? , phpsession Security to do PHP development for such a long time, and really did not really care about security issues, each time is to complete the project-based, recently seen on the Internet ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.