PHP Security-Cookie Theft-PHP Tutorial-php.cn

PHP Security-Cookie Theft

黄舟

Release： 2023-03-05 21:36:02

Original

1326 people have browsed it

Cookie theft

One risk arising from the use of cookies is that the user's cookies will be stolen by attackers. If the session ID is stored in a cookie, cookie exposure is a serious risk because it can lead to session hijacking.

Figure 4-2. PHP handles the complex process of session management for you

The most common causes of cookie exposure are browser vulnerabilities and cross-site scripting attacks (see Chapter 2). Although there are currently no known browser vulnerabilities of this type, several cases have appeared in the past, the most famous of which occurred simultaneously in versions 4.0, 5.0, 5.5 and 6.0 of IE (these vulnerabilities have corresponding patches provided).

While it’s true that browser vulnerabilities are not the web developer’s fault, you can take steps to mitigate the threat to your users. In some cases, you may effectively eliminate the risk by using some security measures. At least you can tell and guide users to apply security patches that correct vulnerabilities.

For these reasons, it is necessary to be aware of new security vulnerabilities. You can follow several websites and mailing lists provided below, and many services provide RSS push, so you can get warnings of new security vulnerabilities by subscribing to RSS. The SecurityFocus website maintains a list of a series of software vulnerabilities (http://www.php.cn/), which you can search by developer, theme and version. The PHP Security Association also maintains all the latest notifications from SecurityFocus. (http://www.php.cn/)

Cross-site scripting attacks are a more common method used by attackers to steal cookies. One of them has been described in Chapter 2. Since client-side scripts can access cookies, all the attacker needs to do is write a script that transmits data. The only thing limiting this is the creativity of the attacker.

Preventing cookie theft is through a combination of preventing cross-site scripting vulnerabilities and detecting browser vulnerabilities that lead to cookie exposure. Since the latter is very rare (and such vulnerabilities will become rarer in the future), it's not a primary concern, but it's still a good thing to keep in mind.

The above is the content of PHP security-Cookie theft. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!