Prevention of Session hijacking and session fixed attack

Source: Internet
Author: User

I. Prevention of Session hijacking

Requirements:

① is only allowed to pass through cookies SessionID

② generates a unique identifier passed by the URL as a token of the Session (token)

The session can be further accessed when the request contains both valid SessionID and a valid session token

Code:

    $salt= ' Mysessiontoken '; $tokenstr=Date(' W ').$salt; $token=MD5($tokenstr); //① if(!isset($_request[' token ']) ||$_request[' token ']! =$token) { //② //Prompt Login        Exit; }    $_session[' token '] =$token; Output_add_rewrite_var(' token ',$token);//③

Description

①token contains two parts, salt (a custom string) and a string that does not change over time (can be used with time-date functions)

② prompt user to log in when the requested URL does not contain token or token is incorrect

The ③ output_add_rewrite_var method is used to add a new key/value parameter to the URL rewrite mechanism, such as the original URL of http://serverName, using Output_add_rewrite_ var (' token ', $token) after the URL becomes http://serverName/token/b12a9d8237b3b29dd94a06e42a7d9b5f

Ii. Prevention of Session setting

Requirements:

① only allows SessionID to be passed through a Cookie, so that the likelihood of an attacker based on a URL attack is zero

② generates new effective SessionID in a given time, reducing the chance for attackers to gain effective SessionID

Code:

    if (! isset ($_session$_session[' generated '] < (time//①        session_ regenerate_id//②        $_sessiontime//③    }

Description

① Set Session replacement time is 30 seconds

The ②session_regenerate_id method can use the new SessionID instead of the original SessionID without modifying the current session data

Refer to "PHP Classic example"

Prevention of Session hijacking and session fixed attack

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.