Dealing with session hijacking in PHP

谁说胖子不能爱 提交于 2021-02-19 06:07:07

问题


Reading through the many questions regarding session hijacking here on Stackoverflow, I've gathered that the only 'solution' to validating a users session is by checking the user agent, which is such a weak layer of protection that I don't even bother to implement it.

So, I was wondering what solutions you guys have implemented? Are you even using PHP's native sessions or is there a more secure solution?


回答1:


You don't need the session id in order to hijack a session. An XSS attack can go 1 of 2 ways. The most common is to read document.cookie and send it to a remote server (this request will also contain the victims USER_AGENT so checking this value is a complete a total waste of time as it doesn't prevent any attack what so ever). A cool security method developed by Microsoft is called HTTPOnly Cookies, and most browsers support this security feature.

HTTPOnly Cookies and checking the client's ip address doesn't stop all session hijacks. In fact if the attacker has an XSS vulnerability he can just forge requests using XHR on the victims browser and there for wouldn't need to know the value of the cookie.

At the end of the day in order to stop session hijacking you need to plug the vulnerabilities in your web application. Most importantly you need to prevent "Session Riding" which is also known as CSRF. You also need to prevent XSS vulnerabilities, Acunetix free edition is a good tool for finding them. . Last but certinly not least you must read the OWASP A3: Broken Authentication and Session Management. A common violation of OWASP A3 is that people don't use HTTPS for the entire session. At no point can you spill the value of the cookie over http, this has the exact same impact as if you spilled the username/password. If a hacker is sniffing the traffic he will have immediate access to your site.




回答2:


Simply log the user out if the request has a different IP and/or hostname. As for people with dynamic IP's - well, logging in again is not that much of a problem.

Obviously the "right" way of dealing with it is implementing SSL.



来源:https://stackoverflow.com/questions/3132073/dealing-with-session-hijacking-in-php

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!