session_regenerate_id和安全属性
I have a strange issue where after I regenerate a session ID using
session_regenerate_id(true);
The cookie seems to lose its "Secure, HttpOnly" flags.
I can reset the cookie by using
$params = session_get_cookie_params();
setcookie("PHPSESSID", session_id(), 0, $params["path"], $params["domain"],
true, // this is the secure flag you need to set. Default is false.
true // this is the httpOnly flag you need to set
);
but veracode (who we use for security testing) is flagging it at unsure because the first cookie (the one that is regenerated) does not have the secure, HttpOnly tags in the header.
Here is the sample header
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Nov 2018 12:56:41 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=98
Location: home.php
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=18a289a6c8d34b0df72dafc9d5e12c92; path=/
Set-Cookie: PHPSESSID=18a289a6c8d34b0df72dafc9d5e12c92; path=/; secure; HttpOnly
Veracode is flagging the issue because the first cookie - does not have the secure, httpOnly tags. I guess its only reading the first, or it feels that them not showing up by default is insecure..How do I go about forcing those tags on a regenerated session? Or is there a better way to achieve what they ask? Here is my code.
session_start();
$_SESSION = array();
session_unset();
session_destroy();
session_start(); //Not sure if this is needed
session_regenerate_id(true);
$params = session_get_cookie_params();
setcookie("PHPSESSID", session_id(), 0, $params["path"], $params["domain"],
true, // this is the secure flag you need to set. Default is false.
true // this is the httpOnly flag you need to set
);
我有一个奇怪的问题,我使用 p>
重新生成会话ID后 session_regenerate_id(true);
code> pre>
cookie似乎失去了“Secure,HttpOnly”标志。 p>
我可以使用 p>
$ params = session_get_cookie_params();
setcookie(“PHPSESSID”,session_id(),重置cookie) 0,$ params [“path”],$ params [“domain”],
true,//这是你需要设置的安全标志。默认为false。
true //这是你需要的httpOnly标志 设置
);
code> pre>
但是veracode(我们用于安全测试的人)正在标记它不确定,因为第一个cookie(重新生成的cookie) )标题中没有安全的HttpOnly标记。 p>
这是示例标题 p>
Cache-Control:no-store ,no-cache,must-revalidate
Connection:Keep-Alive
Content-Length:0
Content-Type:text / html; charset = UTF-8
日期:星期二,2018年11月6日12:56:41 GMT
Expires:星期四,1981年11月19日08:52:00 GMT
Keep-Alive:timeout = 5,max = 98
Location:home。 php
Pragma:no-cache
Server:Apache
Set-Cookie:PHPSESSID = 18a289a6c8d34b0df72dafc9d5e12c92; path = /
Set-Cookie:PHPSESSID = 18a289a6c8d34b0df72dafc9d5e12c92; 路径= /; 安全; HttpOnly
code> pre>
Veracode正在标记该问题,因为第一个cookie - 没有安全的httpOnly标记。 我想它只读取第一个,或者它感觉它们默认不显示是不安全的......我如何在重新生成的会话上强制执行这些标记? 或者有更好的方法来实现他们的要求吗? 这是我的代码。 p>
session_start();
$ _SESSION = array();
session_unset();
session_destroy();
session_start(); //不确定是否需要
session_regenerate_id(true);
$ params = session_get_cookie_params();
ncocookie(“PHPSESSID”,session_id(),0,$ params [“path”],$ params [“ domain“],
true,//这是你需要设置的安全标志。默认为false。
true //这是你需要设置的httpOnly标志
);
code> pre>
div>
In your local folder PHP.ini settings (typically called user.ini and found in your root HTML directory of your website account), you can set the PHP.ini values:
session.cookie_secure=1
session.cookie_httponly=1
session.use_only_cookies=1
and this will mean any usage of session cookies by this account (this website) will conform to the above requirements.
This is much better than coding these reqirements in to your scripts as this can be easily missed or overlooked down the line.
Your script can then be:
session_start();
...
session_regenerate_id(true);
And you will know everything else will be taken care of automatically.
You can read a little more about session security HERE.
You can
session_set_cookie_params ( int $lifetime [, string $path
[, string $domain [, bool $secure = FALSE [, bool $httponly = FALSE ]]]] )
before session_start()
The session_unset, destroy and start is not needed then. Also don't assign a value to $_SESSION as you are overwriting the session data.
https://secure.php.net/manual/en/function.session-set-cookie-params.php