Home >Backend Development >PHP Tutorial >Security analysis of PHP session_PHP tutorial
This achieves the purpose of convenience and speed, but when it stores information, it often contains some sensitive things, which may become targets of attacks, such as bank account numbers, credit card transactions or file records, etc. This requires that security measures must be taken when writing code to reduce the possibility of successful attacks.
The main security measures include the following two aspects.
1. Prevent attackers from obtaining the user’s session ID.
There are many ways to obtain the session ID. An attacker can obtain it by viewing the clear text communication, so it is very dangerous to put the session ID in the URL or in a cookie transmitted over an unencrypted connection; and Passing the session ID in the URL (as a _get() parameter) is also unsafe because the URL is stored in the browser's history cache and can be easily read. (Consider using ssh for encrypted transmission)
There is also a more subtle attack method. The attacker uses a Web site that has been breached by a script attack to redirect the users of the breached site to another. A site, then insert the following code in the URL of the redirected site:
?PHPSESSID=213456465412312365465412312;
Finally sent to the web application. When the user views the web application, PHP will see that there is no data associated with this session ID and will create some. The user does not know what happened, but the attacker knows the session ID and can use this session ID to enter the application.
To prevent this attack, there are two ways.
(1) Check whether session.use_only_cookie is turned on in php.ini. If this is the case, PHP will reject URL-based session IDs.
(2) When starting a session, put a variable in the session data. This variable indicates that the session was created by the user; if it is found that there is no such variable in the session data, it means that the session ID is false, and you can call session_regenerate_id Function that assigns a new session ID to an existing session.
Example:
Determine whether the session ID is true or false by judging whether the variable exists. If it exists, the session ID is true, otherwise it is false, and use the session_regenerate_id() function to Change the session ID and create a new session ID for the session.
The code is as follows: