PHP vulnerabilities (7)-Session hijacking

Abstract: This article mainly introduces Session hijacking for PHP websites. Session hijacking is a complicated attack method. Most computers on the Internet are vulnerable to attacks. This is a method to hijack the tcp protocol, so almost all LAN hosts may be hijacked .... The connection between the server and the client is through session. When the browser of the client is connected to the server, the server creates a session for the user. Each user's session is independent and maintained by the server. Each user's session is identified by a unique string and becomes the session id. When a user sends a request, the sent http header contains the session id value. The server uses the session id in the http header to identify the request submitted by the user.

Session stores personal data of each user. generally, web applications use session to store authenticated user accounts and passwords. If you need to verify the user identity when converting different web pages, you can use the account and password saved in the session to compare them. The session lifecycle starts when the user connects to the server. when the user closes the browser or logs out, the user's session_destroy function ends when the user deletes the session data. If the user does not use the computer action within 20 minutes, the session ends automatically.

Application Architecture of php session processing

Instance

// Login. php session_start (); if (isset ($ _ POST ["login"]) {$ link = mysql_connect ("localhost", "root", "root ") or die ("unable to establish MySQL database connection :". mysql_error (); mysql_select_db ("cms") or die ("unable to select MySQL database"); if (! Get_magic_quotes_gpc () {$ query = "select * from member where username = '". addslashes ($ _ POST ["username"]). "'and password = '". addslashes ($ _ POST ["password"]). "'";} else {$ query = "select * from member where username = '". $ _ POST ["username"]. "'and password = '". $ _ POST ["password"]. "'" ;}$ result = mysql_query ($ query) or die ("An error occurred while executing the MySQL query statement :". mysql_error (); $ match_count = mysql_num_rows ( $ Result); if ($ match_count) {$ _ SESSION ["book"] = 1; mysql_close ($ link); header ("Location: http: // localhost/index. php? User = ". $ _ POST [" username "]);}... // The Session ID of the visitor who opens the Session is echo session_id ();?>

Session_start ();

$ Seid = md5 (uniqid (rand (), TRUE ));

$ _ SESSION ["seid"] = $ seid;

Although attackers can obtain session data, they cannot know the value of $ seid. by checking the value of seid, they can check whether the current page is called by the web program.

The above is the PHP vulnerability solution (7)-Session hijacking. For more information, see PHP Chinese website (www.php1.cn )!