会话劫持和PHP
让我们只考虑服务器对用户的信任.
Lets just consider the trust that the server have with the user.
会话固定:为避免固定,我仅在身份验证(login.php)中使用session_regenerate_id()
Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)
会话劫持:整个站点的SSL加密.
Session sidejacking: SSL encryption for the entire site.
我安全吗?
阅读OWASP A3身份验证和会话管理已损坏.另请阅读有关OWASP A5-CSRF 的信息,有时也称为会话骑术".
Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding".
您应该在php头文件中使用以下代码:
You should use this code in a php header file:
ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();
此代码可防止会话修复.它还有助于防止来自访问document.cookie的xss,这是会话劫持的一种方式发生.强制仅HTTPS cookie是解决OWASP A9传输层保护不足的好方法一个>.这种使用HTTPS的方式有时称为安全cookie",这是一个可怕的名称.另外, STS 是一项非常酷的安全功能,但是并非所有浏览器都支持它.
This code prevents session fixation. It also helps protect against xss from access document.cookie which is one way that Session Hijacking can occur. Enforcing HTTPS only cookies is a good way of addressing OWASP A9-Insufficient Transport Layer Protection. This way of using HTTPS is sometimes called "secure cookies", which is a terrible name for it. Also STS is a very cool security feature, but not all browsers support it (yet).