Is session Security in PHP?

Is session Security in PHP? If you do not perform special processing and only use the original session in PHP, it is indeed not safe. PHP only provides us with the implementation of a session, and the subsequent security work requires the programmer to flexibly master, so PHP programming is really flexible.

I haven't really paid much attention to the security issue after such a long time of PHP Development. every time I finish the project, I recently saw an article about security on the Internet, after reading this, I noticed that my previous project had a lot of security vulnerabilities. so I picked a project for testing and found that it was easy to find myself in the middle. Here I will share my own test example to illustrate how the session in PHP is insecure and how to enhance its security in the project.

There are many good articles on the Internet to introduce the principle and mechanism of the session, which we can refer to on our own. The following example is used for testing.

The main example of this test is a logon page. after successful logon, you can change the password. this is a simple function.

The interface is as follows:

First, use the session_start () function to enable the session at the Project entry. In this way, when the client initiates a request, an ID, SessionID, is generated. The cookie is stored on the client. Each communication between the client and the server is identified by the SessionID.

After successful logon, the user ID and user name will be stored in the session.

$ _ SESSION ['userid'] = user ID $ _ SESSION ['uname'] = user name

All subsequent operations are performed to check whether the $ _ SESSION ['userid'] exists and whether the user logs on. The code is as follows:

If (isset ($ _ SESSION['Userid'])Return true;

The password change interface is called to transmit data to the server through ajax post.

$. Post ("interface *******",

{

Oldpass: oldpass,

Newpass: newpass,

Userid: uid,

},

Function(Data ){

Data = eval ('+ data + ')');

Certificate ('.grant_info'example .html (infos [data.info]). show ();

}

);

Note: I wrote this code here on the html page, so if you see the html code, you will know the interface address.

The interface for changing the password is implemented in this way. The first step is to determine whether the user is logged on. if the user is logged on, the password will be changed.

The implementation idea of the test example is probably as described above.

SessionID attack

1. the first step is to obtain the SessionID. of course, there are many ways for attackers to obtain this id. due to my limited level, I will not introduce how to obtain this ID here. We can simulate that you can access this project normally and then view the SessionID in the browser to obtain a valid user ID. You can see this ID in the request header

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3

Connection: keep-alive

Cookie: hm_lvt_bf1154ec000057869fceed66e9b3af5e7 = 1450428827,1450678226, 1450851291,1450851486;PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7;

Host :******

Referer :******

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 41.0) Gecko/20100101 Firefox/41.0

After the sessionID is obtained, if the user logs on successfully, the session on the server will contain the user information.

2. after obtaining the SessionID, the attacker can directly modify the password of this user if he knows the password modification interface. If the attacker does not obtain the interface address, you can view the page code to find the interface address. You can use the following command

# Curl -- cookie "PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7" page address

As we have said above, in this example, the ajax code is written on the html page, so you can view the interface address on this page.

Some html code is as follows:

......

Var uid = $ (". userid"). val ();

$. Post ("/User/modifypass_do ",

{

Oldpass: oldpass,

Newpass: newpass,

Userid: uid,

},

Function(Data ){

Data = eval ('+ data + ')');

Certificate ('.grant_info'example .html (infos [data.info]). show ();

}

);

......

/>

3. after obtaining the interface, you can use curl to simulate post to send data and change the password.

The command is as follows:

# Curl -- cookie "PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7"-d oldpass = 111111-d newpass = 000000-d userid = user ID interface address

If the user has logged on, attackers can execute the preceding command to modify the user password.

Solution

We can complicate the authentication method to enhance the security of the above attacks. One of the methods is to use the User-Agent item in the request header to enhance its security.

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3

Connection: keep-alive

Cookie: Keys = 1450428827,1450678226, 1450851291,1450851486; PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7;

Host :******

Referer :******

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 41.0) Gecko/20100101 Firefox/41.0

At the beginning of the project, we used the session_start () function to start the session. Now we can add this code under session_start ().

$ _ SESSION ['User _ agent'] = md5 ($ _ SERVER ['http _ USER_AGENT ']);

Then, each time you determine whether to log on, add the following judgment conditions:

If (isset ($ _ SESSION ['userid']) & $ _ SESSION ['User _ agent'] = md5 ($ _ SERVER ['http _ USER_AGENT ']) {

Return true;

}

This avoids the preceding simple attacks.

Summary:

Of course, the attack in the actual situation is far from that simple. First, it is difficult to obtain the SessionID. then, the code that interacts with the server should be encrypted as much as possible to avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and prevent the attack. There are various attack methods. here is just a simple method. it only provides one idea, but the principle is the same, in actual situations, we can enhance the security of our code according to the actual situation. Due to my limited level, I only want to share my problems at work. if you have any suggestions, please leave a message below to discuss them and raise them together.