Is phpsession secure? How to build a secure session mechanism?

Source: Internet
Author: User
After studying session security for several days, let's get several points: xss can get cookie information, including sessionid, and can get header information by intercepting http, the above two methods contain sessionid have certain conditions and difficulties. If the server only uses sessionid to identify the session information... after studying session security for a few days, please correct me:

  1. Xss can obtain cookie information, including sessionid
  2. Attackers can intercept http to obtain header information, including sessionid.
  3. Both methods have certain conditions and difficulties.
  4. If the server identifies session information by sessionid alone, the user information will be leaked after the sessionid is obtained through xss. If the user information is verified by ip address and useragent information, the risk will be reduced.
  5. If http is intercepted, using https can reduce risks.
  6. Even with https, ssl certificates can also be forged.

Conclusion:

  1. Xss vulnerabilities are lower, but cause a high risk.
  2. Http interception, with a small interception range and a low risk. Of course, the intercepted admin information is different.
  3. The technical requirements and environment requirements for http interception/ssl certificate forgery are high, and the prevention cost is also high.

Reply content:

After studying session security for a few days, please correct me:

  1. Xss can obtain cookie information, including sessionid
  2. Attackers can intercept http to obtain header information, including sessionid.
  3. Both methods have certain conditions and difficulties.
  4. If the server identifies session information by sessionid alone, the user information will be leaked after the sessionid is obtained through xss. If the user information is verified by ip address and useragent information, the risk will be reduced.
  5. If http is intercepted, using https can reduce risks.
  6. Even with https, ssl certificates can also be forged.

Conclusion:

  1. Xss vulnerabilities are lower, but cause a high risk.
  2. Http interception, with a small interception range and a low risk. Of course, the intercepted admin information is different.
  3. The technical requirements and environment requirements for http interception/ssl certificate forgery are high, and the prevention cost is also high.

Well, there has never been an absolute security issue.

  1. Xss can obtain cookie information, including sessionidkey: The cookie has its own httpOnly. (apache has also exposed a vulnerability: If a cookie is sent for too long, the cookie will be returned, even if httpOnly has been fixed)First, you should avoid xss vulnerabilities..

  2. You can intercept http to obtain the header information, including sessionidkey: Use https instead to prevent man-in-the-middle (this is not absolutely secure, and SSL certificates have been forged by hackers, but the average person may not be able to do this)

  3. If the server identifies session information by sessionid alone, the user information will be leaked after the sessionid is obtained through xss. If the user information is verified by ip address and useragent information, the risk will be reduced.

Key: it can be avoided that he can implement it on his own ip address after obtaining the session. However, since he has obtained all xss, it is almost no effort for Cross-Site teachers to take user information. The key isHow to Avoid XSSThe door is opened for thieves. You still want to lock the safe deposit box. The current thief is taking a big tie!

  1. If http is intercepted, using https can reduce risks.

    Well, I agree

  2. Even if you use https, ssl certificates can also forge keys: Few people have successfully forged certificates. SSL is sufficient for most applications.

In summary, the security of the session itself lies in the Peripheral Security. it is safe. the most critical aspect of a secure session mechanism is to avoid some common vulnerabilities: XSS and CSRF (this is what I often encounter, whether it is a large site or a small site, which has the most problems)

  1. XSS can prevent this by setting httponly for sessionid cookies.
  2. It is a good way to check IP addresses when listening to http packets. Generally, session logon does not last for a long time, and the IP address does not change. Admin Login, it is best not to work with the front-end system, independent domain name, special port, restriction IP/VPN Intranet, mobile phone text message Random verification code and other methods can enhance security.
  3. For https counterfeit certificate listening, it seems that only the data submitted by the spoofed user can be obtained, because the certificate itself verifies the reliability of the server. Of course, if the client and server network have been completely cut off, the intermediate proxy has been added and the server certificate has been forged, this can still be solved through the authentication of IP address and SSL client certificate ...... This is not very clear. Please explain it to me.

In addition, being guessed that sessionid is random enough is also one of the potential security problems of the session.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.