Is session Security in PHP ?, PHPsession security. Is session Security in PHP ?, PHP session security has been developed for such a long time, and I have never really paid much attention to the security issue. every time I finish my project, I have recently seen PHP session security on the Internet ?, PHPsession security
I haven't really paid much attention to the security issue after such a long time of PHP Development. every time I finish the project, I recently saw an article about security on the Internet, after reading this, I noticed that my previous project had a lot of security vulnerabilities. so I picked a project for testing and found that it was easy to find myself in the middle. Here I will share my own test example to illustrate how the session in PHP is insecure and how to enhance its security in the project.
There are many good articles on the Internet to introduce the principle and mechanism of the session, which we can refer to on our own. The following example is used for testing.
The main example of this test is a logon page. after successful logon, you can change the password. this is a simple function.
The interface is as follows:
First, use the session_start () function to enable the session at the Project entry. In this way, when the client initiates a request, an ID, SessionID, is generated. The cookie is stored on the client. Each communication between the client and the server is identified by the SessionID.
After successful logon, the user ID and user name will be stored in the session.
$ _ SESSION ['userid'] = user ID $ _ SESSION ['uname'] = user name
All subsequent operations are performed to check whether the $ _ SESSION ['userid'] exists and whether the user logs on. The code is as follows:
if(isset($_SESSION['userid'])) return true;
The password change interface is called to transmit data to the server through ajax post.
$. Post ("interface ********", {oldpass: oldpass, newpass: newpass, userid: uid,}, function (data) {data = eval ('+ data +'); certificate ('.grant_info'example .html (infos [data.info]). show ();});
Note: I wrote this code here on the html page, so if you see the html code, you will know the interface address.
The interface for changing the password is implemented in this way. The first step is to determine whether the user is logged on. if the user is logged on, the password will be changed.
The implementation idea of the test example is probably as described above.
SessionID attack
1. the first step is to obtain the SessionID. of course, there are many ways for attackers to obtain this id. due to my limited level, I will not introduce how to obtain this ID here. We can simulate that you can access this project normally and then view the SessionID in the browser to obtain a valid user ID. You can see this ID in the request header
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Connection: keep-aliveCookie: Hm_lvt_bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2eiq9hcpu3ksri4r587ckt9jt7;Host: ******Referer: ******User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
After the sessionID is obtained, if the user logs on successfully, the session on the server will contain the user information.
2. after obtaining the SessionID, the attacker can directly modify the password of this user if he knows the password modification interface. If the attacker does not obtain the interface address, you can view the page code to find the interface address. You can use the following command
# Curl -- cookie "PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7" page address
As we have said above, in this example, the ajax code is written on the html page, so you can view the interface address on this page.
Some html code is as follows:
...... Var uid = $ (". userid "). val (); $. post ("/User/modifypass_do", {oldpass: oldpass, newpass: newpass, userid: uid,}, function (data) {data = eval ('+ data +'); certificate ('.grant_info'example .html (infos [data.info]). show ();});......
3. after obtaining the interface, you can use curl to simulate post to send data and change the password.
The command is as follows:
# Curl -- cookie "PHPSESSID = 2eiq9hcpu3ksri4r587ckt9jt7"-d oldpass = 111111-d newpass = 000000-d userid = user ID interface address
If the user has logged on, attackers can execute the preceding command to modify the user password.
Solution
We can complicate the authentication method to enhance the security of the above attacks. One of the methods is to use the User-Agent item in the request header to enhance its security.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Connection: keep-aliveCookie: Hm_lvt_bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2eiq9hcpu3ksri4r587ckt9jt7;Host: ******Referer: ******User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
At the beginning of the project, we used the session_start () function to start the session. Now we can add this code under session_start ().
$_SESSION[‘User_Agent'] = md5($_SERVER[‘HTTP_USER_AGENT']);
Then, each time you determine whether to log on, add the following judgment conditions:
If(isset($_SESSION[‘userid']) && $_SESSION[‘User_Agent'] == md5($_SERVER[‘HTTP_USER_AGENT'])){ return true;}
In this way, the above simple attacks can be avoided.
Summary:
Of course, the attack in the actual situation is far from that simple. First, it is difficult to obtain the SessionID. then, the code that interacts with the server should be encrypted as much as possible to avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and prevent the attack. There are various attack methods. here is just a simple method. it only provides one idea, but the principle is the same, in actual situations, we can enhance the security of our code according to the actual situation.
Here we will only share the problems we encountered at work. I hope you can further study them.
Articles you may be interested in:
- PHP session validity period session. gc_maxlifetime
- Php session Security Issue Analysis
- PHP session Security Analysis
- A simple method makes background logon more secure (adding session verification in php)
- Principles and solutions of how to keep the SESSION not expired in PHP
- How to use php session
- Destruction of session variables in PHP
- Session working mechanism explanation and security issues (PHP instance explanation)
- Method for calling session data in the ThinkPHP Template
- Php to precisely set the session expiration time
Why ?, PHP session security has been used for PHP development for so long, and I have never really paid much attention to the security issue. every time I finish the project, I recently saw it on the internet...