The purpose of a session is often to help users jump between different parts of a Web application (This sentence is not comprehensive, in fact, mainly to share data .) This is convenient and quick, but it often has some sensitive things when storing information. these things may become the targets of attacks, such as the bank account, credit card transactions, or archive records. This requires you to take security measures when writing code to reduce the possibility of successful attacks.
The main security measures are as follows.
1. prevent attackers from obtaining the user's session ID.
Attackers can obtain session IDs in many ways by viewing plaintext communication. Therefore, it is dangerous to put Session IDs in URLs or in cookies transmitted through unencrypted connections; it is also insecure to pass session IDs in URLs (as the _ get () parameter) because URLs are stored in the browser's historical cache, which is easy to read. (You can use ssh for encrypted transmission)
There is also a more concealed attack means, through which attackers can redirect users on the broken site to another site through a Web site that has been cracked by a script attack, then insert the following code into the URL of the site to be redirected:
? Phpsessid= 213456465412312365465412312;
Finally, it is sent to the Web application. When you view the Web application, PHP will find that there is no data associated with this session ID and will create some data. The user does not know what happened, but the attacker knows the session ID and can use this session ID to access the application.
There are two methods to prevent such attacks.
(1) Check whether session. use_only_cookie is enabled in php. ini. In this case, PHP rejects URL-based session IDs.
(2) when a session is started, put a variable in the session data, which indicates that the session was created by the user. if the variable is not found in the session data, the session ID is false. you can call the session_regenerate_id function to assign a new session ID to an existing session.
Example:
Determine whether the session ID is true or false by judging whether the variable exists. If yes, the session ID is true; otherwise, the session ID is false. use the session_regenerate_id () function to change the session ID, create a new session ID for the session,
The code is as follows:
The code is as follows:
<? Php
Session_start ();
If (! Isset ($ _ SESSION ['shili1']) {// checks whether the shili1 variable is configured.
$ Old_id = session_id (); // variable name of the original session ID
Session_regenerate_id (); // gets a new session ID.
$ New_id = session_id (); // variable name of the new session ID
Echo "old: $ old_id
"; // Output the original session ID
Echo "new: $ new_id
"; // Output the new session ID
$ _ SESSION ['shili1'] = TRUE ;}
?>
Running result:
This is just an example. the output session ID is used to better understand and apply this function. in programming, the output session ID is not required.
2. restrict attackers from obtaining session IDs.
Attackers can obtain session IDs by using the following methods.
(1) use a function (md5) to calculate the hash value after adding some additional string data to the User-Agent header ). (Hash function) accepts a large dataset and converts it to a seemingly different data, which is very short. The generated hash values are completely non-reproducible and cannot be generated by another input .)
After adding some data to the User-Agent string, attackers cannot test the User-Agent string by calculating the md5 code for common Agent values.
(2) save the encoded string in the user's session data.
(3) Check the hash value every time the user receives the request.
The code for this solution is as follows:
The code is as follows:
Define ('ua _ seed', 'webapp ');
Session_start ();
If (! Isset ($ _ SESSION ['User _ agent']) {
$ _ SESSION ['User _ agent'] = md5 ($ _ SERVER ['http _ USER_AGENT ']. ua_seed );
} Else {
If ($ _ SESSION ['User _ agent']! = Md5 ($ _ SERVER ['http _ USER_AGENT ']. ua_seed )){}}
?>
By creating some troubles for attackers, attackers cannot destroy the session ID even if they obtain it, which can reduce system losses.