blocks|key|1786991|text|一个指导原则是在每次会话的安全级别发生变化时调用session_regenerate_id。这有助于防止会话劫持。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1786992|entityMap|0|LINK|mutability|MUTABLE|url|http://www.php.net/session_regenerate_id^0|O|L|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

One guideline is to call <a href="http://www.php.net/session_regenerate_id" rel="nofollow noreferrer">session_regenerate_id</a> every time a session's security level changes. This helps prevent session hijacking.

blocks|key|1787078|text|我认为其中一个主要问题(在PHP6中正在解决)是register_globals。现在，避免使用register_globals的标准方法之一是使用$_REQUEST、$_GET或$_POST数组。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|1787079|要做到这一点，“正确”的方法(从5.2开始，虽然有一点小问题，但在6版本中是稳定的，很快就会出现)是通过filters。|1787080|因此，不是：|1787081|$username+=+$_POST["username"];|code-block|syntax|javascript|1787082|你会这样做：|1787083|$username+=+filter_input(INPUT_POST,+'username',+FILTER_SANITIZE_STRING);|1787084|或者仅仅是：|1787085|$username+=+filter_input(INPUT_POST,+'username');|1787086|entityMap|0|LINK|mutability|MUTABLE|url|http://us.php.net/filter^0|1C|G|22|9|2C|5|2I|6|0|1G|7|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|14|8|@$9|15|A|16|B|C]|$9|17|A|18|B|C]|$9|19|A|1A|B|C]|$9|1B|A|1C|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|1D|8|@]|D|@$9|1E|A|1F|1|1G]]|E|$]]|$1|H|3|I|5|6|7|1H|8|@]|D|@]|E|$]]|$1|J|3|K|5|L|7|1I|8|@]|D|@]|E|$M|N]]|$1|O|3|P|5|6|7|1J|8|@]|D|@]|E|$]]|$1|Q|3|R|5|L|7|1K|8|@]|D|@]|E|$M|N]]|$1|S|3|T|5|6|7|1L|8|@]|D|@]|E|$]]|$1|U|3|V|5|L|7|1M|8|@]|D|@]|E|$M|N]]|$1|W|3|-4|5|6|7|1N|8|@]|D|@]|E|$]]]|X|$Y|$5|Z|10|11|E|$12|13]]]]

I think one of the major problems (which is being addressed in PHP 6) is register_globals. Right now one of the standard methods used to avoid <code>register_globals</code> is to use the <code>$_REQUEST</code>, <code>$_GET</code> or <code>$_POST</code> arrays.

The "correct" way to do it (as of 5.2, although it's a little buggy there, but stable as of 6, which is coming soon) is through <a href="http://us.php.net/filter" rel="nofollow noreferrer">filters</a>.

So instead of:

<pre><code>$username = $_POST["username"];
</code></pre>

you would do:

<pre><code>$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
</code></pre>

or even just:

<pre><code>$username = filter_input(INPUT_POST, 'username');
</code></pre>

blocks|key|1787444|text|This+session+fixation+paper对可能发生攻击的地方有很好的提示。另请参见session+fixation+page+at+Wikipedia。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1787445|entityMap|0|LINK|mutability|MUTABLE|url|http://www.acros.si/papers/session_fixation.pdf|1|http://en.wikipedia.org/wiki/Session_fixation^0|0|R|0|1C|Y|1|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@$A|O|B|P|1|Q]|$A|R|B|S|1|T]]|C|$]]|$1|D|3|-4|5|6|7|U|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]|L|$5|G|H|I|C|$J|M]]]]

<a href="http://www.acros.si/papers/session_fixation.pdf" rel="nofollow noreferrer">This session fixation paper</a> has very good pointers where attack may come. See also <a href="http://en.wikipedia.org/wiki/Session_fixation" rel="nofollow noreferrer">session fixation page at Wikipedia</a>.

blocks|key|1572394|text|根据我的经验，使用IP地址并不是最好的主意。例如，我的办公室有两个根据负载使用的IP地址，而我们在使用IP地址时经常遇到问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1572395|取而代之的是，我选择将会话存储在服务器上的域的单独数据库中。这样，文件系统上的任何人都无法访问该会话信息。这对phpBB+3.0之前的版本真的很有帮助(他们后来修复了这个问题)，但我认为这仍然是一个好主意。|1572396|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

Using IP address isn't really the best idea in my experience. For example; my office has two IP addresses that get used depending on load and we constantly run into issues using IP addresses. 

Instead, I've opted for storing the sessions in a separate database for the domains on my servers. This way no one on the file system has access to that session info. This was really helpful with phpBB before 3.0 (they've since fixed this) but it's still a good idea I think.

blocks|key|1787130|text|这是非常琐碎和明显的，但一定要在每次使用后使用session_destroy。如果用户不显式注销，这可能很难实现，因此可以设置计时器来执行此操作。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1787131|下面是关于setTimer()和clearTimer()的一个很好的tutorial。|1787132|entityMap|0|LINK|mutability|MUTABLE|url|http://www.php.net/session_destroy|1|http://www.elated.com/articles/javascript-timers-with-settimeout-and-setinterval/^0|N|F|0|0|Y|8|1|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@$A|Q|B|R|1|S]]|C|$]]|$1|D|3|E|5|6|7|T|8|@]|9|@$A|U|B|V|1|W]]|C|$]]|$1|F|3|-4|5|6|7|X|8|@]|9|@]|C|$]]]|G|$H|$5|I|J|K|C|$L|M]]|N|$5|I|J|K|C|$L|O]]]]

This is pretty trivial and obvious, but be sure to <a href="http://www.php.net/session_destroy" rel="nofollow noreferrer">session_destroy</a> after every use. This can be difficult to implement if the user does not log out explicitly, so a timer can be set to do this.

Here is a good <a href="http://www.elated.com/articles/javascript-timers-with-settimeout-and-setinterval/" rel="nofollow noreferrer">tutorial</a> on setTimer() and clearTimer().

blocks|key|1787222|text|PHP会话和安全性(除了会话劫持之外)的主要问题来自于您所处的环境。缺省情况下，PHP将会话数据存储在操作系统的temp目录中的一个文件中。没有任何特殊的想法或计划，这是一个完全可读的目录，因此您的所有会话信息对任何有权访问服务器的人都是公开的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1787223|至于在多个服务器上维护会话。在这一点上，最好将PHP切换到用户处理的会话，在那里它调用您提供的函数来CRUD+(创建、读取、更新、删除)会话数据。此时，您可以将会话信息存储在数据库或类似于memcache的解决方案中，以便所有应用程序服务器都可以访问数据。|1787224|如果您在一个共享服务器上，那么存储您自己的会话也可能是有利的，因为它允许您将其存储在数据库中，而数据库通常比文件系统拥有更多的控制权。|1787225|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

The main problem with PHP sessions and security (besides session hijacking) comes with what environment you are in. By default PHP stores the session data in a file in the OS's temp directory. Without any special thought or planning this is a world readable directory so all of your session information is public to anyone with access to the server.

As for maintaining sessions over multiple servers. At that point it would be better to switch PHP to user handled sessions where it calls your provided functions to CRUD (create, read, update, delete) the session data. At that point you could store the session information in a database or memcache like solution so that all application servers have access to the data.

Storing your own sessions may also be advantageous if you are on a shared server because it will let you store it in the database which you often times have more control over then the filesystem.

blocks|key|1572484|text|我把我的治疗过程设置成这样-|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1572485|在登录页面上：|1572486|$_SESSION['fingerprint']+=+md5($_SERVER['HTTP_USER_AGENT']+.+PHRASE+.+$_SERVER['REMOTE_ADDR']);|code-block|syntax|javascript|1572487|(在配置页面上定义的短语)|1572488|然后在整个站点的其余部分的标题上：|1572489|session_start();
if+($_SESSION['fingerprint']+!=+md5($_SERVER['HTTP_USER_AGENT']+.+PHRASE+.+$_SERVER['REMOTE_ADDR']))+{+++++++
++++session_destroy();
++++header('Location:+http://website+login+page/');
++++exit();+++++
}|1572490|entityMap^0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|R|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|S|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|T|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|U|8|@]|9|@]|A|$]]|$1|M|3|N|5|F|7|V|8|@]|9|@]|A|$G|H]]|$1|O|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|P|$]]

I set my sessions up like this-

on the log in page:

<pre><code>$_SESSION['fingerprint'] = md5($_SERVER['HTTP_USER_AGENT'] . PHRASE . $_SERVER['REMOTE_ADDR']);
</code></pre>

(phrase defined on a config page)

then on the header that is throughout the rest of the site:

<pre><code>session_start();
if ($_SESSION['fingerprint'] != md5($_SERVER['HTTP_USER_AGENT'] . PHRASE . $_SERVER['REMOTE_ADDR'])) { 
 session_destroy();
 header('Location: http://website login page/');
 exit(); 
}
</code></pre>

blocks|key|1572497|text|php.ini|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1572498|session.cookie_httponly+=+1
change+session+name+from+default+PHPSESSID|code-block|syntax|javascript|1572499|eq+Apache+add+header：|1572500|X-XSS-Protection++++1|1572501|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|N|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|O|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|P|8|@]|9|@]|A|$E|F]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

<h1>php.ini</h1>

<pre><code>session.cookie_httponly = 1
change session name from default PHPSESSID
</code></pre>

<h1>eq Apache add header:</h1>

<pre><code>X-XSS-Protection 1
</code></pre>

blocks|key|1572340|text|我会同时检查IP和用户代理，看看它们是否发生了变化|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1572341|if+($_SESSION['user_agent']+!=+$_SERVER['HTTP_USER_AGENT']
++++%7C%7C+$_SESSION['user_ip']+!=+$_SERVER['REMOTE_ADDR'])
{
++++//Something+fishy+is+going+on+here?
}|code-block|syntax|javascript|1572342|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

I would check both IP and User Agent to see if they change

<pre><code>if ($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']
 || $_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR'])
{
 //Something fishy is going on here?
}
</code></pre>

blocks|key|1572418|text|如果你使用session_set_save_handler()，你可以设置你自己的会话处理程序。例如，您可以将会话存储在数据库中。有关数据库会话处理程序的示例，请参阅php.net注释。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1572419|如果您有多个服务器，则DB会话也很好，否则，如果您使用基于文件的会话，则需要确保每个read服务器都可以访问相同的文件系统来读/写会话。|1572420|entityMap|0|LINK|mutability|MUTABLE|url|http://www.php.net/manual/en/function.session-set-save-handler.php^0|5|Q|0|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@$A|O|B|P|1|Q]]|C|$]]|$1|D|3|E|5|6|7|R|8|@]|9|@]|C|$]]|$1|F|3|-4|5|6|7|S|8|@]|9|@]|C|$]]]|G|$H|$5|I|J|K|C|$L|M]]]]

If you you use <a href="http://www.php.net/manual/en/function.session-set-save-handler.php" rel="nofollow noreferrer">session_set_save_handler()</a> you can set your own session handler. For example you could store your sessions in the database. Refer to the php.net comments for examples of a database session handler.

DB sessions are also good if you have multiple servers otherwise if you are using file based sessions you would need to make sure that each webserver had access to the same filesystem to read/write the sessions.

blocks|key|1787426|text|您需要确保会话数据是安全的。通过查看您的php.ini或使用phpinfo()，您可以找到您的会话设置。_session.save_path_会告诉您它们的保存位置。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1787427|检查文件夹及其父级的权限。它不应该是公开的(/tmp)，也不应该被共享服务器上的其他网站访问。|1787428|假设你仍然想使用php+session，你可以通过改变_session.save_path_来设置php使用另一个文件夹，或者通过改变_session.save_handler_来将数据保存在数据库中。|1787429|您可以在您的php.ini+(某些提供商允许)中设置_session.save_path_，或者在站点根文件夹下的.htaccess文件中设置apache+%2B+mod_php：php_value+session.save_path+"/home/example.com/html/session"。您也可以在运行时使用_session_save_path()_设置它。|offset|length|style|CODE|1787430|选中Chris+Shiflett's+tutorial或Zend_Session_SaveHandler_DbTable以设置和替代会话处理程序。|1787431|entityMap|0|LINK|mutability|MUTABLE|url|http://shiflett.org/articles/storing-sessions-in-a-database|1|http://framework.zend.com/manual/en/zend.session.savehandler.dbtable.html^0|0|0|0|2G|1O|0|2|P|0|S|W|1|0^^$0|@$1|2|3|4|5|6|7|X|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Y|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|Z|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|10|8|@$H|11|I|12|J|K]]|9|@]|A|$]]|$1|L|3|M|5|6|7|13|8|@]|9|@$H|14|I|15|1|16]|$H|17|I|18|1|19]]|A|$]]|$1|N|3|-4|5|6|7|1A|8|@]|9|@]|A|$]]]|O|$P|$5|Q|R|S|A|$T|U]]|V|$5|Q|R|S|A|$T|W]]]]

You need to be sure the session data are safe. By looking at your php.ini or using phpinfo() you can find you session settings. _session.save_path_ tells you where they are saved.

Check the permission of the folder and of its parents. It shouldn't be public (/tmp) or be accessible by other websites on your shared server.

Assuming you still want to use php session, You can set php to use an other folder by changing _session.save_path_ or save the data in the database by changing _session.save_handler_ .

You might be able to set _session.save_path_ in your php.ini (some providers allow it) or for apache + mod_php, in a .htaccess file in your site root folder:
<code>php_value session.save_path "/home/example.com/html/session"</code>. You can also set it at run time with _session_save_path()_ .

Check <a href="http://shiflett.org/articles/storing-sessions-in-a-database" rel="nofollow noreferrer">Chris Shiflett's tutorial</a> or <a href="http://framework.zend.com/manual/en/zend.session.savehandler.dbtable.html" rel="nofollow noreferrer">Zend_Session_SaveHandler_DbTable</a> to set and alternative session handler.

What are some guidelines for maintaining responsible session security with PHP? There's information all over the web and it's about time it all landed in one place!

PHP Session Security

数据存储

文件系统

数据库

服务器

用PHP维护负责任的会话安全性有哪些指导原则？网络上到处都是信息，是时候把所有的信息都集中在一个地方了！

问PHP会话安全性
EN

回答 11

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问PHP会话安全性EN

回答 11

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问PHP会话安全性
EN