Detailed graphic explanation of codeigniter security precautions in PHP

This article mainly introduces the security precautions of codeigniter in PHP. Interested friends can refer to it. I hope it will be helpful to everyone.

1. httponly

session must use httponly, otherwise it may be attacked by xxs. Use js to obtain the session_id of the cookie.

You need to use the ci_session of the framework, longer digits, httponly, these are all configured by default.

Don’t use native phpsession, but use ci_session. ci_session digits are longer.

If you want to use the native session, you should set it like this (php.ini):

session.sid_length //The length of the sid should be lengthened here. The default is too If

session.cookie_httponly = 1 is shortened, the native session will become httponly.

2. phpinfo

Be sure to close the phpinfo page. The dump request information may be used by attackers. Such as cookie information.

3. Force the entire site to https

Jump through cdn, and the local development environment must also be equipped with https. If https cannot be used in some aspects, such as message push, you can create a new site.

4. Strict mode

##session.use_strict_mode = 1

Only use the session id generated by the server itself, not the session id generated by the user client.

5. CSRF cross-site request forgery

#A’s cookie contains the session id of the site example.com and has not expired. B passes Put a picture on the forum to lure A to click on the picture. The picture will initiate a request, and the request is disguised as example.com. A's browser believes it to be true and attaches the cookie of example.com to the request. The request information is B's code is intercepted and sent to B through an asynchronous request. B logs in to A's account at example.com through this cookie.

CI has an anti-CSRF mechanism, that is, it will automatically insert a hidden CSRF field into the form. The following settings are required:

application/config/config.php:

$config['csrf_protection'] = TRUE;

Note, this After opening it, all requests to outbound sites are blocked. If our website has the behavior of obtaining data from other websites, such as calling an API, then this switch cannot be enabled.

6.

$this->input->post('a',true);

As long as you add a parameter true, you can perform XSS filtering on the post data.

7. Replay

#You encrypt your username and password and send them to the server for login verification. The attacker does not need to decrypt you. With these user names and passwords, he only needs to operate the intercepted data packets again to log in. This is replay.

Defense measures for 5 and 6: Each form contains a hidden random code token that can only be used once.

Only one-time token implementation: redis deletes it directly after expiration and use

8. Summary: User secure login process Basic session strategy:

(1) Session is only used as a session session and will become invalid when the browser is closed. ; (2) The shorter the session validity period is, the safer it is, for example, 60 seconds; (3) The session refresh time needs to be modified accordingly, for example, 30 seconds;

(4) Set up redis to store session.

The configuration is as follows:

In php.ini:

session.gc_maxlifetime = 60

This is the validity period of the session. The default is 1440 seconds, which is 24 minutes. Change it to, for example, 60 seconds. After 60 seconds, if the SID of the client matches the SID of the server, it will be invalid. The page should be refreshed before 60 seconds to update the SID. How to update is explained below;

is in application/ config/config.php:

$config['sess_driver'] = 'redis';//设为用redis存储session
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0;//设为会话session，关闭浏览器，客户端cookie即失效
$config['sess_save_path'] = 'tcp://127.0.0.1:端口号';//redis地址
$config['sess_match_ip'] = FALSE;//要不要验证ip是否一致
$config['sess_time_to_update'] = 30;//超30秒即刷新sid
$config['sess_regenerate_destroy'] = TRUE;//重新生成sid的时候删除旧sid

Session id refresh and session expiration time distinction:

Note:

These settings are closely related to security and should be distinguished and used carefully.

What does the above

session.gc_maxlifetime mean? That is, the time from when a session is generated to when it expires and cannot be used. In fact, if you use redis, it will be clear. This value is a duration set when using redis to save the sid. This is very clear. When a sid is generated, this time will be written in. Then when this time is reached, This key-value will be deleted.

So thissess_time_to_update, as the name implies, is the refresh time. This time is a threshold, which means it will be refreshed after this time. It is not refreshed automatically, but refreshed when accessing the session! When we use session, he will judge the interval between the last session and this session. If the interval is greater than this value, the sid will be refreshed. The usual performance of this usage is that when we refresh the page, we need to read the session for authentication. Then when refreshing the page, the interval between two times exceeds this time, that is, refreshing the sid. Then combined with the maxlifetime above, it means that the refresh is completed. After that, the session is renewed, and a new session is written, along with a restarted timer.

That is to say, if we refresh the page from time to time, our refresh mechanism will be triggered when necessary, and then our session will not expire, never. If you brush there regularly. If the time interval between two refreshes exceeds maxlifetime, the login timeout will be displayed and the session is gone. Because if you try to update after the expiration, it will obviously not work and the update will fail.

The summary is that this maxlifetime determines how long we cannot exceed between two refreshes, otherwise the login will time out; and update must be less than maxlifetime, which is inevitable, because if it is greater than it, it will be invalid. Refreshing is useless because it has expired. And preferably, I think this update should be less than half of maxlifetime. If maxlifetime is very long (in the hope of improving the user experience, it is always not good for users to always log in and time out), then it doesn't matter if the update is set to be shorter, because if it is set to be shorter, it will cause a larger problem if the session is stolen. It is possible that the thief has expired when he uses it, so the security will be higher.

one-times-tokens：

One-time token

The above is the entire content of this article, I hope it will be helpful to everyone’s learning Helps.

Related recommendations:

PHPHow to execute system commands through bypass disable functions

Summary of the usage of "{}" braces in php

PHP's email address

The above is the detailed content of Detailed graphic explanation of codeigniter security precautions in PHP. For more information, please follow other related articles on the PHP Chinese website!