Simple understanding of Session security in PHP _php tutorial

There are many ways to get the session ID, which can be obtained by looking at plaintext communication, so it is dangerous to place the session ID in the URL or in a cookie transmitted over an unencrypted connection, and it is not safe to pass the session ID in the URL (as the _get () parameter). Because the URL is stored in the browser's history cache, it is easy to read. (You may consider using SSH for encrypted transmission)

The main security measures are in the following two areas.

1. Prevent the attacker from acquiring the user's session ID.

There are many ways to get the session ID, which can be obtained by looking at plaintext communication, so it is dangerous to place the session ID in the URL or in a cookie transmitted over an unencrypted connection, and it is not safe to pass the session ID in the URL (as the _get () parameter). Because the URL is stored in the browser's history cache, it is easy to read. (You may consider using SSH for encrypted transmission)

There is also a more covert attack, where an attacker redirects a user at a compromised site to another site through a Web site that has been breached by a script attack, and then inserts the following code into the URL of the redirected site:
? phpsessid=213456465412312365465412312;

Last sent to the Web application. When the user views the Web application, PHP finds no data associated with the session ID and creates some data. The user does not know what happened, but the attacker knows the session ID and can use the session ID to enter the application.

There are two ways to prevent this type of attack.
(1) Check the PHP tutorial. ini If Session.use_only_cookie is turned on. If this is the case, PHP rejects the URL-based session ID.
(2) When a session is started, a variable is placed in the session data that indicates that the session was created by the user, and if there is no such variable in the session data, it means that the session ID is false, and you can call the SESSION_REGENERATE_ID function to assign a new session ID to the existing session.

Example:

Determine whether the session ID is true or false by judging the existence of the variable, and if so, the session ID is real, otherwise it is false, and the session ID is changed using the session_regenerate_id () function to re-create a new session ID for the session.

The code is as follows:
Copy the code code as follows:

< PHP
Session_Start ();
if (!isset ($_session[' shili1 '))) {//Determine if the SHILI1 variable is configured
$old _id = session_id (); Variable name of the original session ID
SESSION_REGENERATE_ID (); Get a new session ID
$new _id = session_id (); The variable name of the new session ID
echo "Old: $old _id
" ; Output the original session ID
echo "NEW: $new _id
" ; Output a new session ID
$_session[' shili1 ') = TRUE; }
?>

Operation Result:

This is only an example, the output session ID is to better understand and apply this function, and in the program design does not need to output the session ID.

2. Limit the attacker to get the session ID.

The method that restricts an attacker to acquiring a session ID is as follows.
(1) Use a function (MD5) to calculate the hash value (hash) of the user-agent header plus some additional string data. (hash function) accepts an arbitrarily large data set and converts it to a seemingly disparate data, which is very short. The resulting hash value is completely non-reproducible and cannot be generated by another input. ）

By adding some data after the user-agent string, an attacker would not be able to test the user-agent string by calculating the MD5 encoding of the common proxy values.

(2) The encoded string is saved in the user's session data.
(3) Check the hash value each time a request is received from this user.

The code for this scenario is as follows:
Copy the code code as follows:

define (' Ua_seed ', ' WebApp ');
Session_Start ();
if (!isset ($_session[' user_agent ')) {
$_session[' user_agent ' = MD5 ($_server[' http_user_agent '].ua_seed);
}else{
if ($_session[' user_agent '! = MD5 ($_server[' http_user_agent '].ua_seed)) {}}
?>

Reduces damage to the system by creating some trouble for the attacker, even if the attacker acquires the session ID and does not destroy it

http://www.bkjia.com/PHPjc/629702.html www.bkjia.com true http://www.bkjia.com/PHPjc/629702.html techarticle There are many ways to get the session ID, which can be obtained by looking at plaintext communication, so it is dangerous to place the session ID in the URL or in a cookie transmitted over an unencrypted connection;

