PHP session Application and security problem solving method

Of course, there are many advantages to use the session, such as easy control, can be customized by user storage, etc. (stored in the database tutorial). I don't have much to say here.

Session in the PHP tutorial. ini need to set it? Generally do not need, because not everyone has the right to modify the php.ini, the default session of the storage path is the server's system temporary folder, we can customize the store in their own folder, which I will introduce later.

Begins to describe how to create a session. It's very simple, really.

Start session sessions and create a $admin variable:

Start session
Session_Start ();
Declares a variable named admin and assigns null values.
$_session["admin" = null;
?>

If you use Seesion, or if the PHP file calls the session variable, you must start it before calling the session and use the Session_Start () function. Other do not need you to set up, PHP automatically completes the session file creation.

After executing this program, we can go to the system temporary folder to find this session file, general file name like: Sess_4c83638b3b0dbf65583181c2f89168ec, followed by 32-bit encoded random string

, function bool Session_set_save_handler (callback open, callback close, callback read, callback write, callback destroy, CALLBAC K GC) is to provide us with solutions to this problem.
The function uses the following 6 functions:
1. bool Open () for opening session storage mechanism,
2. BOOL Close () closes the session store operation.
3. Mixde read () Use this function when the session data is mounted from storage
4. BOOL Write () writes all data for a given session ID to the store
5. bool Destroy () destroys data associated with the specified session ID
6. BOOL GC () garbage collection of data in the storage system
For example, see the PHP manual Session_set_save_handler () function.
If you are working with a class, you can use

Session_set_save_handler (
Array (' ClassName ', ' open '),
Array (' ClassName ', ' close '),
Array (' ClassName ', ' read '),
Array (' ClassName ', ' write '),
Array (' ClassName ', ' destroy '),
Array (' ClassName ', ' GC '),
)

About session security issues
By putting a lot of effort into trying to get a valid session ID for an existing user, the attacker might be able to have the same capabilities in the system as the user with the session ID.
HTTP protocol is stateless, so usually the site will use session to mark a user. Session at the client is a cookie that holds a special token, and the key information is stored on the server side. But because tokens are kept on the client and are transmitted, it is still unsafe.

1, the session terminated, but the token is still active

Scenario: When the user exits, the program simply deletes the token (for example, by issuing a set-cookie instruction for a purge token). However, the server-side data is not deleted and can still be used if the user continues to use the token.
WORKAROUND: Delete server-side data after exiting.
Test method: After exiting, still use the token, if the activity is normal, this token is still valid. (Use Firefox's web Developer plugin to do it)

2. Tokens can be transmitted via URL

Scenario: If a URL can be transmitted, an attacker can use a link on the attacker's site to easily fix the victim's session identifier, for example: http://www.example.com/index.php?PHPSESSID=fixed_session_id. If the victim does not yet have a cookie for the example.com site session identifier, then session fixing succeeds. Once the victim uses the session identifier specified by the attacker, the attacker can hijack the victim's session and mimic the victim's user agent in an attempt to disguise as a victim.
WORKAROUND: Set the value of Use_only_cookies in PHP 1, the default in PHP is 1, you can not modify.

3, leaked the token on the network

Scenario: The network transmits the session token unencrypted, and listeners in the appropriate position can intercept the token.
A, when the user is logged on with an HTTP unsecured channel, all data transmitted between the user and the server can be intercepted. There is no secret to the person who registers the listener. At this point, if the data intercepted is not sufficient to perform a second logon (for example, some banking systems will require the logged-in person to submit a changing captcha). If an attacker wanted to do anything, he would have to hijack his eavesdropping session.

b, some programs send a token on some HTTP pages, and then log on to the page to start using the HTTPS tutorial, and do not modify this token at logon, the result is that the user session that was initially not authenticated was upgraded to a validated session after logging in. Eavesdroppers can intercept this token before logging in. So in order to improve security, the program can send a token or send a new token at the time of login.

C, the program allows login through HTTP, if the attacker successfully degraded the user's link to HTTP, he can still intercept the token.

D, if all the pages are in HTTPS, but the pictures and some js,css tutorials and other static files are using HTTP transport. At this point, if the static file and login page in the same domain, the token will also be leaked through HTTP. So there are a lot of benefits to using static files for other domains.
Other solutions:
A, if your application uses an HTTP cookie to route session tokens, verify that they have a secure flag set to prevent them from routing the token through unencrypted links.
b, do not accept unsecured login
C, session and client http_user_agent binding, but this method is not very effective, attackers can forge this data.

4, the client token is easy to be hijacked

A, the site has a cross-site attack vulnerability, so that the user's token is very easy to hijack. You need to check the entire station, avoid cross-site attacks, or set up cookie_httponly to avoid scripting attacks to some extent. Use HttpOnly to enhance application security

b, an attacker could hijack a user's session in different ways, using other attacks against the user. This includes implementing a session-fixed attack, where an attacker sends a known session token to a user and waits for them to log on.
Workaround: 1, you can send a new session token every time a login succeeds
2, the token to set a special format, do not accept other forms of tokens, this method is not very good effect.

5, the cookie scope is too broad

When the browser submits the cookie, it submits the cookie to the set domain and any of its subdomains, and does not commit to the other domain. If your application sets the domain of the cookie too broad, it can be a variety of vulnerabilities for the program.

6, the token is not strong enough

Tokens are either too simple or regular to follow in their generation, allowing attackers to predict or infer other users ' tokens in a normal way. For example, an attacker can get a token from a normal site in a time, get a token at B time on a Web site, and then attack by analyzing a large number of token samples for this time period.

Solution: Generate a powerful token and get enough complexity. But some high intensity random sources must take sufficient steps to get enough entropy, which takes time, so it is usually not enough to meet the demand. So you can get enough entropy by merging some of the user-specific data. Data that can be used:
1, a series of random numbers
2. Source IP Address
3. User_agent message header in Request
4. Request time
5, the server private random number
Concatenate the above data and then use the appropriate hashing algorithm (such as md5,sha-256) to handle the string. (Placing the most variable data items at the beginning of the hash input helps maximize the "avalanche" effect in the hashing algorithm.)

Some other ways to enhance security are:

1, per page token
New tokens are used on each page, either through an HTML form or by using a cookie, and if a mismatch occurs, the entire session terminates.

2, before performing the important operation, requires two steps to confirm the operation

Security is a big problem and the details are the most important. This article is I read the "Hacker attack and defense technology Treasure-web actual Combat chapter" Note notes.
-Cold front

<?php
if (!isset ($_session[' user_agent ')) {
$_session[' user_agent '] =$_server[' remote_addr '].$_server[' http_user_agent '];
}
/* If the user session ID is forged * *
ElseIf ($_session[' user_agent ']!= $_server[' remote_addr ']. $_server[' Http_user_agent ']) {
SESSION_REGENERATE_ID ();
}
?>