Home > Article > Backend Development > A simple understanding of session security in php_PHP tutorial
There are many ways to obtain the session ID. An attacker can obtain it by viewing the clear text communication, so it is dangerous to put the session ID in the URL or in a cookie transmitted over an unencrypted connection; also in the URL ( Passing the session ID as the _get() parameter) is also unsafe because the URL is stored in the browser's history cache and can easily be read. (You can consider using ssh for encrypted transmission)
The main security measures include the following two aspects.
1. Prevent attackers from obtaining the user’s session ID.
There are many ways to obtain the session ID. An attacker can obtain it by viewing the clear text communication, so it is dangerous to put the session ID in the URL or in a cookie transmitted over an unencrypted connection; also in the URL ( Passing the session ID as the _get() parameter) is also unsafe because the URL is stored in the browser's history cache and can easily be read. (You can consider using ssh for encrypted transmission)
There is also a more subtle attack method. The attacker redirects users on the breached website to another website through a website that has been breached by a script attack, and then in the URL of the redirected website Insert the following code:
?PHPSESSID=213456465412312365465412312;
Finally sent to the web application. When the user views the web application, PHP will see that there is no data associated with this session ID and will create some. The user does not know what happened, but the attacker knows the session ID and can use this session ID to enter the application.
To prevent this attack, there are two ways.
(1) Check whether session.use_only_cookie is turned on in php tutorial.ini. If this is the case, PHP will reject URL-based session IDs.
(2) When starting a session, put a variable in the session data. This variable indicates that the session was created by the user; if it is found that there is no such variable in the session data, it means that the session ID is false, and you can call the session_regenerate_id function to give Existing sessions are assigned a new session ID.
Example:
Determine whether the session ID is true or false by judging whether the variable exists. If it exists, the session ID is true, otherwise it is false. Use the session_regenerate_id() function to change the session ID and create a new one for the session. session ID,
The code is as follows:
Copy the code. The code is as follows:
< ?php
session_start () ;
if (!isset ( $_SESSION['shili1'] )) { //Determine whether the shili1 variable is configured
$old_id = session_id (); //The variable name of the original session ID
session_regenerate_id (); //Get a new session ID
$new_id = session_id (); //Variable name of new session ID
echo "old : $old_id
" ; //Output the original session ID
echo "new : $new_id
" ; //Output new session ID
$_SESSION['shili1'] = TRUE ; }
?>
The running results are as shown in the figure:
This is just an example. The purpose of outputting the session ID is to better understand and apply this function. In programming, there is no need to output the session ID.
2. Restrict attackers from obtaining session IDs.
The method to limit attackers from obtaining the session ID is as follows.
(1) Use a function (md5) to calculate the hash value (hash) of the User-Agent header plus some additional string data. (A hash function takes an arbitrarily large set of data and converts it into a very different-looking data set. The resulting hash value is completely unreproducible and impossible to generate from Another input is generated )
Add some data after the User-Agent string, and the attacker will not be able to test the User-Agent string by calculating md5 encoding for common agent values.
(2) Save this encoded string in the user's session data.
(3) Check this hash value every time a request is received from this user.
The code for this solution is as follows:
Copy the code. The code is as follows:
define ( 'ua_seed','webapp' ) ;
session_start () ;
if ( !isset($_SESSION['user_agent'] )){
$_SESSION['user_agent'] = md5 ( $_SERVER['HTTP_USER_AGENT'].ua_seed );
}else{
if ($_SESSION['user_agent'] != md5($_SERVER['HTTP_USER_AGENT'].ua_seed)){} }
?>
By causing some trouble for the attacker, even if the attacker obtains the session ID, he cannot destroy it, which can reduce the damage to the system