I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:
我知道这个话题已经讨论了很多,但我还有一些具体的问题仍未得到解答。例如:
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');
// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
session_start();
// If the user is already logged
if (isset($_SESSION['uid'])) {
// If the IP or the navigator doesn't match with the one stored in the session
// there's probably a session hijacking going on
if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) {
// Then it destroys the session
session_unset();
session_destroy();
// Creates a new one
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
}
} else {
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
// Set the default values for the session
setSessionDefaults();
$_SESSION['ip'] = getIp(); // Saves the user's IP
$_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator
}
So, my questions are
所以,我的问题是
- do the
ini_set's provide enough security? - ini_set提供足够的安全性吗?
- is it okay to save the user's IP and navigator and then check it every time the page is loaded to detect a session hijack? Could this be problematic in any way?
- 是否可以保存用户的IP和导航器,然后每次加载页面时检查它以检测会话劫持?这有什么问题吗?
- is the use of
session_regenerate_id()correct? - 是使用session_regenerate_id()正确吗?
- is the use of
session_id()correct? - 是使用session_id()正确吗?
1 个解决方案
#1
14
Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration: session_id(sha1(uniqid(microtime()));
你的配置很棒。你肯定读过如何锁定php会话。然而,这行代码否定了php配置提供的大量保护:session_id(sha1(uniqid(microtime()));
This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.
这是一种生成会话ID的特别糟糕的方法。根据您的配置,您将从/ dev / urandom生成会话ID,这是一个非常棒的熵池。这将比uniqid()更加随机,而uniqid()已经主要是一个时间戳,为这个混合添加另一个时间戳根本没有帮助。尽快删除这行代码。
Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.
检查IP地址是有问题的,IP地址会因合法原因而更改,例如,如果用户位于负载均衡器或TOR之后。用户代理检查是没有意义的,就像有一个GET变量,如?is_hacker = False,如果攻击者有会话ID,他们可能有用户代理,如果他们没有,这个值真的很容易暴力。
#1
14
Your configuration is awesome. You definitely read up on how to lock down php sessions. However this line of code negates a lot of the protection provided by your php configuration: session_id(sha1(uniqid(microtime()));
你的配置很棒。你肯定读过如何锁定php会话。然而,这行代码否定了php配置提供的大量保护:session_id(sha1(uniqid(microtime()));
This is a particularly awful method of generating a session id. Based on your configurations you are generating the session id from /dev/urandom which is a awesome entropy pool. This is going to be a lot more random than uniqid() which is already mostly a timestamp, adding another timestamp to this mix doesn't help at all. Remove this line of code, asap.
这是一种生成会话ID的特别糟糕的方法。根据您的配置,您将从/ dev / urandom生成会话ID,这是一个非常棒的熵池。这将比uniqid()更加随机,而uniqid()已经主要是一个时间戳,为这个混合添加另一个时间戳根本没有帮助。尽快删除这行代码。
Checking the IP address is problematic, ip addresses change for legitimate reasons, such as if the user is behind a load balancer or TOR. The user agent check is pointless, it is like having a GET variable like ?is_hacker=False, if the attacker has the session id they probably have the user agent, and if they don't this value is really easy to brute force.
检查IP地址是有问题的,IP地址会因合法原因而更改,例如,如果用户位于负载均衡器或TOR之后。用户代理检查是没有意义的,就像有一个GET变量,如?is_hacker = False,如果攻击者有会话ID,他们可能有用户代理,如果他们没有,这个值真的很容易暴力。