I'm currently using the following code in my cms to check if visitor is logged in as admin so that he can edit the current page:
我目前在我的cms中使用以下代码来检查访问者是否以管理员身份登录,以便他可以编辑当前页面:
if($_SESSION['admin']=="1")
{
echo "<a href="foobar/?update">edit</a>";
}
But I'm worried that the code is unsafe. Can't $_session variables easily be modified by the user?
但我担心代码不安全。用户不能轻易修改$ _session变量吗?
What would be a safer practice?
什么是更安全的做法?
6 个解决方案
#1
No, that's a good way to do it. The user can't modify the $_SESSION global, unless he has access to your server. Remember to stay away from client-side cookies.
不,这是一个很好的方法。用户无法修改$ _SESSION全局,除非他有权访问您的服务器。请记住远离客户端cookie。
To make it even more safe, a good way is to store the IP-adress and check that it stays the same between every request.
为了使其更安全,一种好方法是存储IP地址并检查它是否在每个请求之间保持不变。
#2
The code is OK, you're just showing a link. Just make sure that your UPDATE script is protected as well.
代码没问题,你只是显示一个链接。只需确保您的UPDATE脚本也受到保护。
#3
$_SESSION variables can not be set by the user. The code is therefore perfectly fine, although you would usually ask your user backend (typically just a table users, sometimes LDAP) about the current user's privileges.
用户无法设置$ _SESSION变量。因此代码非常好,尽管您通常会询问您的用户后端(通常只是表用户,有时是LDAP)有关当前用户的权限。
#4
I found this presentation about session security
我找到了关于会话安全性的演示文稿
It explains how to avoid:
它解释了如何避免:
- Session fixation.
- Session hijacking.
Also the slide with more information has some really goods links
此外,更多信息的幻灯片还有一些真正的商品链接
#5
Session variables should be safe enough once your coding is secure.
一旦编码安全,会话变量应该足够安全。
Also, use the follow instead. Stops mistakes with == Probably should also use true too as it is a lot quicker than string comparisons.
另外,请改用以下内容。使用==停止错误也可能也应该使用true,因为它比字符串比较快得多。
if( "1" === $_SESSION['admin'] )
#6
This code is no longer safe:
此代码不再安全:
if mypage.php contains this code:
session_start();
$_SESSION['admin']==1;
echo "<a href='http://the.link-to-your-page.php' target='_blank'>link</a>";
If the link is clicked, the session admin as 1 will be carried to your page and the edit button will be appeared.
如果单击该链接,则会话管理员1将被带到您的页面,并且将出现编辑按钮。
safest way is to set a token (this is a very simple step) right after login is authenticated. e.g $token = sh512($var.....); $_SESSION['token']=$token;
最安全的方法是在登录验证后立即设置令牌(这是一个非常简单的步骤)。例如$ token = sh512($ var .....); $ _SESSION [ '标记'] = $令牌;
on top of every page put something like this:
在每个页面的顶部放置这样的东西:
if(!isset($_SESSION['token'])){ die('Access Denied');}
if(!isset($_SESSION['username'])){ die('Access Granted');}
first check the token carry in the SESSION and then Check the user ID, including level of permissions for users. This is just a simple approach, put more fingerprint scan code at the beginning to make it complex to intercept sessionid.
首先检查SESSION中的令牌进位,然后检查用户ID,包括用户的权限级别。这只是一种简单的方法,在开始时添加更多的指纹扫描代码,使拦截sessionid变得复杂。
#1
No, that's a good way to do it. The user can't modify the $_SESSION global, unless he has access to your server. Remember to stay away from client-side cookies.
不,这是一个很好的方法。用户无法修改$ _SESSION全局,除非他有权访问您的服务器。请记住远离客户端cookie。
To make it even more safe, a good way is to store the IP-adress and check that it stays the same between every request.
为了使其更安全,一种好方法是存储IP地址并检查它是否在每个请求之间保持不变。
#2
The code is OK, you're just showing a link. Just make sure that your UPDATE script is protected as well.
代码没问题,你只是显示一个链接。只需确保您的UPDATE脚本也受到保护。
#3
$_SESSION variables can not be set by the user. The code is therefore perfectly fine, although you would usually ask your user backend (typically just a table users, sometimes LDAP) about the current user's privileges.
用户无法设置$ _SESSION变量。因此代码非常好,尽管您通常会询问您的用户后端(通常只是表用户,有时是LDAP)有关当前用户的权限。
#4
I found this presentation about session security
我找到了关于会话安全性的演示文稿
It explains how to avoid:
它解释了如何避免:
- Session fixation.
- Session hijacking.
Also the slide with more information has some really goods links
此外,更多信息的幻灯片还有一些真正的商品链接
#5
Session variables should be safe enough once your coding is secure.
一旦编码安全,会话变量应该足够安全。
Also, use the follow instead. Stops mistakes with == Probably should also use true too as it is a lot quicker than string comparisons.
另外,请改用以下内容。使用==停止错误也可能也应该使用true,因为它比字符串比较快得多。
if( "1" === $_SESSION['admin'] )
#6
This code is no longer safe:
此代码不再安全:
if mypage.php contains this code:
session_start();
$_SESSION['admin']==1;
echo "<a href='http://the.link-to-your-page.php' target='_blank'>link</a>";
If the link is clicked, the session admin as 1 will be carried to your page and the edit button will be appeared.
如果单击该链接,则会话管理员1将被带到您的页面,并且将出现编辑按钮。
safest way is to set a token (this is a very simple step) right after login is authenticated. e.g $token = sh512($var.....); $_SESSION['token']=$token;
最安全的方法是在登录验证后立即设置令牌(这是一个非常简单的步骤)。例如$ token = sh512($ var .....); $ _SESSION [ '标记'] = $令牌;
on top of every page put something like this:
在每个页面的顶部放置这样的东西:
if(!isset($_SESSION['token'])){ die('Access Denied');}
if(!isset($_SESSION['username'])){ die('Access Granted');}
first check the token carry in the SESSION and then Check the user ID, including level of permissions for users. This is just a simple approach, put more fingerprint scan code at the beginning to make it complex to intercept sessionid.
首先检查SESSION中的令牌进位,然后检查用户ID,包括用户的权限级别。这只是一种简单的方法,在开始时添加更多的指纹扫描代码,使拦截sessionid变得复杂。