Prevention of Session hijacking and session fixed attack

I. Prevention of Session hijacking

Requirements:

① is only allowed to pass through cookies SessionID

② generates a unique identifier passed by the URL as a token of the Session (token)

The session can be further accessed when the request contains both valid SessionID and a valid session token

Code:

    $salt= ' Mysessiontoken '; $tokenstr=Date(' W ').$salt; $token=MD5($tokenstr); //① if(!isset($_request[' token ']) ||$_request[' token ']! =$token) { //② //Prompt Login        Exit; }    $_session[' token '] =$token; Output_add_rewrite_var(' token ',$token);//③

Description

①token contains two parts, salt (a custom string) and a string that does not change over time (can be used with time-date functions)

② prompt user to log in when the requested URL does not contain token or token is incorrect

The ③ output_add_rewrite_var method is used to add a new key/value parameter to the URL rewrite mechanism, such as the original URL of http://serverName, using Output_add_rewrite_ var (' token ', $token) after the URL becomes http://serverName/token/b12a9d8237b3b29dd94a06e42a7d9b5f

Ii. Prevention of Session setting

Requirements:

① only allows SessionID to be passed through a Cookie, so that the likelihood of an attacker based on a URL attack is zero

② generates new effective SessionID in a given time, reducing the chance for attackers to gain effective SessionID

Code:

    if (! isset ($_session$_session[' generated '] < (time//①        session_ regenerate_id//②        $_sessiontime//③    }

Description

① Set Session replacement time is 30 seconds

The ②session_regenerate_id method can use the new SessionID instead of the original SessionID without modifying the current session data

Refer to "PHP Classic example"

Prevention of Session hijacking and session fixed attack