PHP Session hosting is prone to vulnerabilities

Source: Internet
Author: User
Tags php oop php session
The following content is intended for developers who use the PHP session_set_save_handler hosting mechanism to manage PHP sessions. The following content is intended for developers who use the PHP session_set_save_handler hosting mechanism to manage PHP sessions.

Assume that PHP session management is managed through open, close, pick, dump, clear, and gc functions. There is no problem with the gc mechanism of PHP sessions. The problem is that there is no gc mechanism, and the session is outdated.

In PHP applications, session management can all rely on the traditional gc mechanism for recovery. However, when the concurrency of a project is higher, the gc recovery probability is higher. for databases (or IO) it is a huge load, so we will increase the gc recovery base (ini_set ('session. gc_divisor ', xxxx);). This is not the focus of this article.

When trying to manage a SESSION, the actual purpose is to reduce some drawbacks of the php session mechanism (to save important user information in the $ _ SESSION variable). Secondly, it also helps us better grasp and manage the sessions of the entire system.

A standard design, session data itself, will design a lifecycle for it. when the user's client holds the session_id and the session is processed, the session is deemed invalid. when the user logs on again to maintain the session connection with the server.

 
 
    1. $ SessName = "MY_APP_SID ";
    2. Session_name ($ sessName );
    3. Session_start (); // => The hosted open and pick functions are called immediately.

For an open function:

 
 
    1. Function open ($ sessId ){
    2. $ Sess =/* obtain session data based on $ sessId */;
    3. If ($ sess-> isValid () {/* check whether the session is valid */
    4. Return $ anyVal;
    5. }
    6. Return false;
    7. }

The open function reads the sessId held by the client and the value of the SESSION (the value in $ _ SESSION). in the middle, PHP internally runs $ anyVal for session_decode () returned to $ _ SESSION.

When the isValid of a session returns false, we need to regenerate the session id and notify the client to update it. PHP provides us with such a function: session_regenerate_id (), but when to use this function is the key to the entire problem. As a seamless switch between the server and the client, the key step is to secretly write the newly generated sessId into the record container (database, memory orI/O) during dump. However, the dump function, is the end part of the PHP running process. The header has been output and you cannot rewrite the header. Or simply put, the PHP code we write every day is executed through the open-> dump process regardless of the length. when the session mechanism runs to the dump process, we have no choice but to turn around.

The solution to this problem is that when session_start is initially executed and the session is initially started, session_regenerate_id can be executed, but a global monitoring is required (at this time, js is very memorable, but php cannot ).

 
 
    1. $ SessName = "MY_APP_SID ";
    2. $ IsRegenerateId = false;
    3. Session_name ($ sessName );
    4. Session_start (); // => The hosted open and pick functions are called immediately.
    5. If ($ isRegenerateId)
    6. Session_regenerate_id ();

In the open function, it is used to notify $ isRegenerateId whether it has changed:

 
 
    1. Function open ($ sessId ){
    2. ....
    3. If ($ sess-> isValid () {/* check whether the session is valid */
    4. Return $ anyVal;
    5. }
    6. Else {
    7. $ IsRegenerateId = true;
    8. }
    9. ....
    10. }

How to handle dump is not mentioned here, because after regenerate is executed, the global session_id will automatically follow the change.

However, what is lacking in the US is that the closed feature of php oop is not powerful enough. $ isRegenerateId, an important variable, is extremely dangerous to be exposed in any environment, even if private is used, the more private the code is, the easier it is to make the code state uncontrollable. You can adjust the parameters as follows:

 
 
    1. $ SessName = "MY_APP_SID ";
    2. Session_name ($ sessName );
    3. Session_start (); // => The hosted open and pick functions are called immediately.
    4. If (defined ('regenerate _ SESS_ID '))
    5. Session_regenerate_id ();

Naturally, in open, when isValid is false, define ('regenerate _ SESS_ID ', true.

Finally, what are the consequences of not performing regenerate:

First of all, from the original intention of session hosting, each session has a life cycle to avoid heavy global recovery, so that session data can be redundant and temporarily exist, but it will not cause too much impact and interference to the session Holder. if the session is forcibly deleted, the client must log on again. this is only one of the cases. if it is not properly controlled, multiple instances may exist for the same sessId, or sessions that are supposed to exceed the lifecycle will be re-activated. Of course, the client's individual experience may be negligible in terms of global security. especially for website applications, session persistence rarely lasts for more than 10 hours. However, this is only limited to websites. for APIs, games, and session lifecycles, the requirements become increasingly strict. If you are on an enterprise-level application, some parts of the application may be in seconds. It is very important to achieve seamless inheritance and transformation of the session lifecycle.

Second, as a system, sessions often hold significant user information. no matter how well-designed the system is, there is always a red line between the client and the server. In special applications, sessions always hold more special data, transfer data securely, and create proper redundancy for future data management, data return provides more comprehensive and accurate data. Furthermore, only by fully implementing the design can we summarize and promote a more complete structure for the performance. without knowing the existence of bugs, it is the biggest risk.

Link: http://my.oschina.net/janpoem/blog/6932

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.