Security analysis of PHP session_PHP tutorial

This achieves the purpose of convenience and speed, but when it stores information, it often contains some sensitive things, which may become targets of attacks, such as bank account numbers, credit card transactions or file records, etc. This requires that security measures must be taken when writing code to reduce the possibility of successful attacks.

The main security measures include the following two aspects.

1. Prevent attackers from obtaining the user’s session ID.

There are many ways to obtain the session ID. An attacker can obtain it by viewing the clear text communication, so it is very dangerous to put the session ID in the URL or in a cookie transmitted over an unencrypted connection; and Passing the session ID in the URL (as a _get() parameter) is also unsafe because the URL is stored in the browser's history cache and can be easily read. (Consider using ssh for encrypted transmission)

There is also a more subtle attack method. The attacker uses a Web site that has been breached by a script attack to redirect the users of the breached site to another. A site, then insert the following code in the URL of the redirected site:
?PHPSESSID=213456465412312365465412312;

Finally sent to the web application. When the user views the web application, PHP will see that there is no data associated with this session ID and will create some. The user does not know what happened, but the attacker knows the session ID and can use this session ID to enter the application.

To prevent this attack, there are two ways.
(1) Check whether session.use_only_cookie is turned on in php.ini. If this is the case, PHP will reject URL-based session IDs.
(2) When starting a session, put a variable in the session data. This variable indicates that the session was created by the user; if it is found that there is no such variable in the session data, it means that the session ID is false, and you can call session_regenerate_id Function that assigns a new session ID to an existing session.

Example:

Determine whether the session ID is true or false by judging whether the variable exists. If it exists, the session ID is true, otherwise it is false, and use the session_regenerate_id() function to Change the session ID and create a new session ID for the session.

The code is as follows:

The running result is as shown in the figure:

This is just an example, the session ID is output for better understanding. And apply this function, and there is no need to output the session ID in programming.

2. Restrict attackers from obtaining session IDs.

The method to limit attackers from obtaining session ID is as follows.
(1) Use a function (md5) to calculate the hash value (hash) of the User-Agent header plus some additional string data. (A hash function takes an arbitrarily large set of data and converts it into a very different-looking data set. The resulting hash value is completely unreproducible and impossible to generate from Another input is generated. )

By adding some data after the User-Agent string, the attacker cannot test the User-Agent string by calculating md5 encoding for common agent values.

(2) Save this encoded string in the user's session data.
(3) Check this hash value every time a request is received from this user.

The code for this solution is as follows:

By causing some trouble for the attacker, even if the attacker obtains the session ID, he cannot destroy it, which can reduce the damage to the system.