Is session Security in PHP ?. Is session Security in PHP? I haven't really paid much attention to the security issue after such a long time of PHP Development. every time I finish my project, I recently saw an article about secure PHP session security on the Internet?
I haven't really paid much attention to the security issue after such a long time of PHP Development. every time I finish the project, I recently saw an article about security on the Internet, after reading this, I noticed that my previous project had a lot of security vulnerabilities. so I picked a project for testing and found that it was easy to find myself in the middle. Here I will share my own test example to illustrate how the session in PHP is insecure and how to enhance its security in the project.
There are many good articles on the Internet to introduce the principle and mechanism of the session, which we can refer to on our own. The following example is used for testing. The main example of this test is a logon page. after successful logon, you can change the password. this is a simple function. The interface is as follows. First, the session is enabled using the session_start () function at the Project entry. In this way, when the client initiates a request, an ID, SessionID, is generated. The cookie is stored on the client. Each communication between the client and the server is identified by the SessionID. After successful logon, the user ID and user name will be stored in the session $ _ SESSION ['userid'] = user ID $ _ SESSION ['uname'] = all operations after the user name are determined by $ _ SESSION [' userid'] to check whether the user has logged on.
The code is as follows:
If (isset ($ _ SESSION ['userid']) return true; the call to the password change interface transmits data to the server through ajax post.
$. Post ("interface ********", {oldpass: oldpass, newpass: newpass, userid: uid,}, function (data) {data = eval ('+ data +'); certificate ('.grant_info'example .html (infos [data.info]). show () ;}); note: I wrote this code here on the html page, so if you see the html code, you will know the interface address. The interface for changing the password is implemented in this way. The first step is to determine whether the user is logged on. if the user is logged on, the password will be changed. The implementation idea of the test example is probably as described above.
SessionID attack
1. the first step is to obtain the SessionID. of course, there are many ways for attackers to obtain this id. due to my limited level, I will not introduce how to obtain this ID here. We can simulate that you can access this project normally and then view the SessionID in the browser to obtain a valid user ID. You can see the ID Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Encoding: gzip in the request header, deflateAccept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3 Connection: keep-aliveCookie: Keys = 1450428827,1450678226, 1450851291,1450851486; PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7; Host: ******* Referer: ******* User-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 41.0) Gecko /20100101 Firefox/41.0 get the sessionID. if the user logs on successfully, the session on the server will contain the user information.
2. after obtaining the SessionID, the attacker can directly modify the password of this user if he knows the password modification interface. If the attacker does not obtain the interface address, you can view the page code to find the interface address. You can use the following command # curl -- cookie "PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7". we have mentioned that the ajax code in this example is written on the html page, on this page, you can see the following html code for the interface address ...... Var uid = $ (". userid "). val (); $. post ("/User/modifypass_do", {oldpass: oldpass, newpass: newpass, userid: uid,}, function (data) {data = eval ('+ data +'); certificate ('.grant_info'example .html (infos [data.info]). show ();});......
3. after obtaining the interface, you can use curl to simulate post to send data and change the password. the command is as follows # curl -- cookie "PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7"-d oldpass = 111111-d newpass = 000000 address if the user has logged on, attackers can execute the preceding commands to modify the user password. To solve the above attacks, we can complicate the verification method to enhance its security. One of the methods is to use the User-Agent item in the request header to enhance its security Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Encoding: gzip, deflate
Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3 Connection: keep-aliveCookie: Keys = 1450428827,1450678226, 1450851291,1450851486; PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7; Host: ******* Referer: ******* User-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 41.0) gecko/20100101 Firefox/41.0 initially started the session with the session_start () function. Now we can add this code $ _ SESSION ['User _ agent'] = md5 ($ _ SERVER ['http _ USER_AGENT ']) under session_start (); then, each time you determine whether to log on, add the judgment condition If (isset ($ _ SESSION ['userid']) as follows: & $ _ SESSION ['User _ agent'] = md5 ($ _ SERVER ['http _ USER_AGENT ']) {return true ;} in this way, the above simple attacks can be avoided.
Summary: of course, the attack in the actual situation is far from that simple. First, it is difficult to obtain the SessionID. then, try to encrypt the code that interacts with the server to avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and prevent the attack. There are various attack methods. here is just a simple method. it only provides one idea, but the principle is the same, in actual situations, we can enhance the security of our code according to the actual situation. Here we will only share the problems we encountered at work. I hope you can further study them.
Why? I haven't really paid much attention to the security issue after such a long time of PHP Development. every time I finish the project, I recently saw an article about security on the Internet...
