The basic principle and safety of session

Reprinted from http://blog.csdn.net/yunnysunny/article/details/26935637

The basic principle and safety of session

1.session principle

Referring to the session, you will definitely associate with login, log in after successful login status, while marking the current user who is logged in. The function is basically this way, but today is not about the function, but the realization. Explore some interesting things you might not have known before by exploring how the session is implemented.

In order to record the session, both the client and the server to save the data, the client record a token, the server side not only stored the tag and also stored the tag map of the data. OK, or say a little vernacular, in fact, the client record is a SessionID, in the server-side record is a key-value form of data structure, where the key is definitely refers to SessionID, value represents the details of the session. When the user makes an HTTP request, it always passes the SessionID to the server, and the server queries the contents of the session according to the SessionID (that is, the value mentioned above).

Now we focus on SessionID, he is the key to today's problem. SessionID in the client (HTTP client generally refers to the browser) is stored in the cookie, of course, there are exceptions (the book will certainly mention also saved in the URL, I do programmers so many years have not seen this way, this is the reality and the actual gap, good cruelty).

We use an example to illustrate the role of this sessionid in session processing. First of all, assume such a scenario, we have a CMS (Content management system, the contents of management systems), the application has a background, the user must log in in order to enter the background to publish the article and other operations. The first is the login process, the user in the browser input user name, password, click Login, the browser will submit the user name password to the server program for processing, the server to verify the user name, password is correct, will return the login success information, and will modify the server side of the session content, For example, we write the user ID into the session, in order to facilitate the storage of the session content will be serialized into a string or binary stored in a file or database, this time in most cases the server in response to the current HTTP request, will return a new SessionID requires the browser to write to the local cookie, and the corresponding return HTTP response header information should look like this: Set-cookie:phpsessid=xxxxxxx, After the browser resolves to this header, it will now generate a cookie that associates the current domain name.

Figure 1.1 Login Timing Diagram

Then the user logs in the background to publish the article operation, login user fill in the title of the article, content, and then click Send. This time the browser generates an HTTP request to the server, noting that the header of the request sends the cookie content that stores the SessionID to the past, that is, the requested HTTP header message should have such a piece of data: cookie:phpsessid=xxxxxxx OTHER_COOKIE_NAME=YYYYYY; After the server receives this HTTP request, resolves to the cookie exists, and the cookie exists phpsessid the cookie name, Then the value of PHPSESSID (that is, the value of SessionID) is taken out, according to the PHPSESSID query server there is no corresponding session content, If any, the corresponding value is taken out for deserialization serialization (that is, it turns it into a data result in the programming language, such as a $_session array in PHP, In the Java EE will get type javax.servlet.http.HttpSession), easy to read in the program, the final server determines that the value stored in the session exists, and from the deserialized object to read the user ID attribute, and then to the CMS database of the article table inserted a Data, eventually returning an HTTP response, telling the browser that the operation was successful.

Figure 1.2 Post sequence diagram

2. Intrusion Example

For some of the properties of cookies, refer to one of my other blog posts about cookies, which refer to a HttpOnly attribute, that is, whether JS is forbidden to read cookies. Unfortunately, many common servers (such as Apache and Tomcat) did not set the HttpOnly attribute when generating this sessionid cookie, which means that JS could read the SessionID.

JS read to SessionID, this will be a problem. If there is no problem, I will not be here to wordy. Your website is running the JS code is not necessarily you write, for example, the general site has a post or the function of the post, if the ulterior motives of people in the publishing time to fill in the HTML code (these HTML is usually hyperlinks or pictures), but your background has not filtered out, published articles, When someone clicks on a malicious link, something happens. This is what we often call XSS.

<?php session_start ();
$result = Array ();
    if (!isset ($_session[' uid ')) | |!$_session[' UID ']) {$result [' code '] = 2;
$result [' msg '] = ' not logged in ';
    } else {$uid = $_session[' uid ']; Require_once ('..
    /globaldb.php ');
        if (!isset ($_post[' title ')) | |!$_post[' title ']) {$result [' code '] = 4;
        $result [' msg '] = ' title is empty ';
    Goto end;
        } if (!isset ($_post[' content ') | |!$_post[' content ']) {$result [' code '] = 4;
        $result [' msg '] = ' content is empty ';
    Goto end;
        } if ($db->getstatus ()) {$title = $_post[' title '];
        $content = $_post[' content '];
        $sql = ' INSERT into article (Title,content,uid,create_time) VALUES (". $title. '", "'. $content. '", '. $uid. ', Now ()) ';
        $RV = $db->dbexecute ($sql);
        if ($rv > 0) {$result [' code '] = 0;
            } else {$result [' code '] = 3;
        $result [' msg '] = ' insert failed ';
        }} else {$result [' code '] = 1; $result [' msg '] = 'Database operation failed ';
 }} end:echo (Json_encode ($result));

Code 2.1 Add a background code for an article

This gives a piece of code, the reason is that the content of the submission is not filtered, such as content form fields. Now suppose there are so two websites, one your own CMS website, domain name mycms.whyun.com, a hacker with the website, domain name session.myhack.com. You can configure the hosts to simulate the two sites, and here you can still recommend the Addhost tools I've done before, which automatically generates hosts and Vhost configurations. Code 2.1 is the code for the MYCMS website.

After login mycms, add an article in the background, the article content is: