PHP Session Security

2018-12-31 03:41发布

站内问答 / PHP
1680 13 6

What are some guidelines for maintaining responsible session security with PHP? There's information all over the web and it's about time it all landed in one place!

标签: security php
举报
13条回答
只靠听说
2楼-- · 2018-12-31 03:56

php.ini

session.cookie_httponly = 1
change session name from default PHPSESSID

eq Apache add header:

X-XSS-Protection    1
查看更多
0人赞 添加讨论(0) 举报
笑指拈花
3楼-- · 2018-12-31 03:59

I think one of the major problems (which is being addressed in PHP 6) is register_globals. Right now one of the standard methods used to avoid register_globals is to use the $_REQUEST, $_GET or $_POST arrays.

The "correct" way to do it (as of 5.2, although it's a little buggy there, but stable as of 6, which is coming soon) is through filters.

So instead of:

$username = $_POST["username"];

you would do:

$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);

or even just:

$username = filter_input(INPUT_POST, 'username');
查看更多
0人赞 添加讨论(0) 举报
爱死公子算了
4楼-- · 2018-12-31 04:01

You need to be sure the session data are safe. By looking at your php.ini or using phpinfo() you can find you session settings. _session.save_path_ tells you where they are saved.

Check the permission of the folder and of its parents. It shouldn't be public (/tmp) or be accessible by other websites on your shared server.

Assuming you still want to use php session, You can set php to use an other folder by changing _session.save_path_ or save the data in the database by changing _session.save_handler_ .

You might be able to set _session.save_path_ in your php.ini (some providers allow it) or for apache + mod_php, in a .htaccess file in your site root folder: php_value session.save_path "/home/example.com/html/session". You can also set it at run time with _session_save_path()_ .

Check Chris Shiflett's tutorial or Zend_Session_SaveHandler_DbTable to set and alternative session handler.

查看更多
0人赞 添加讨论(0) 举报
与风俱净
5楼-- · 2018-12-31 04:02

This session fixation paper has very good pointers where attack may come. See also session fixation page at Wikipedia.

查看更多
0人赞 添加讨论(0) 举报
柔情千种
6楼-- · 2018-12-31 04:02

I set my sessions up like this-

on the log in page:

$_SESSION['fingerprint'] = md5($_SERVER['HTTP_USER_AGENT'] . PHRASE . $_SERVER['REMOTE_ADDR']);

(phrase defined on a config page)

then on the header that is throughout the rest of the site:

session_start();
if ($_SESSION['fingerprint'] != md5($_SERVER['HTTP_USER_AGENT'] . PHRASE . $_SERVER['REMOTE_ADDR'])) {       
    session_destroy();
    header('Location: http://website login page/');
    exit();     
}
查看更多
0人赞 添加讨论(0) 举报
皆成旧梦
7楼-- · 2018-12-31 04:06

I would check both IP and User Agent to see if they change

if ($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']
    || $_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR'])
{
    //Something fishy is going on here?
}
查看更多
0人赞 添加讨论(0) 举报
1 2 3 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)