The session module cannot guarantee that the information you store in the session can only be seen by the user who created the session. You need to take additional steps to protect confidential information in the session. The method you take to protect confidential information depends on the confidentiality of the data you store in the session.
session_start — Start a new session or reuse an existing session
Strict session management ( Recommended learning: PHP programming from entry to proficiency)
Currently, by default, PHP manages sessions in an adaptive manner, which is very flexible to use. , but it also brings certain risks.
Starting from PHP 5.5.2, a new configuration item has been added: session.use_strict_mode
. When this configuration option is enabled and the session storage processor you are using supports it, uninitialized session IDs will be rejected and a new session will be generated for them. This prevents attackers from using a known session ID. attack.
For example, the attacker can send the victim a link containing the session ID via email: http://example.com/page.php?PHPSESSID=123456789.
If the session.use_trans_sid
configuration item is enabled, the victim will use the session ID provided by the attacker to start a new session. The risk can be reduced if the session.use_strict_mode
option is enabled.
Warning
User-defined session stores can also support strict session mode by implementing session ID validation. It is recommended that users be sure to verify the validity of the session ID when implementing their own session storage.
On the browser side, you can set the domain and path for the cookie used to save the session ID. Only HTTP access is allowed, and HTTPS access and other security attributes must be used. If you are using PHP version 7.3., you can also set the SameSite attribute on the cookie. An attacker can exploit these browser features to set a permanently available session ID.
Just setting the session.use_only_cookies
configuration item cannot solve this problem. The session.use_strict_mode
configuration item can reduce this risk. Set session.use_strict_mode=On
to reject uninitialized session IDs.
Note: Although using the session.use_strict_mode
configuration item can reduce the risks caused by flexible session management, attackers still use JavaScript injection and other means to force The user uses a session ID created by the attacker and initialized normally.
How to reduce this wind direction, you can refer to the suggestions section of this manual. If you have enabled the session.use_strict_mode
configuration item, use timestamp-based session management, and regenerate the session ID by setting the session_regenerate_id()
configuration item, then the attacker The generated session ID can then be deleted.
When access to an expired session occurs, you should save all data of the active session for subsequent analysis. Then ask the user to log out of the current session and log in again. Prevent attackers from continuing to use "stolen" sessions.
Warning
Access to expired session data does not always mean that an attack is under way. Unstable network conditions or incorrect session deletion behavior will cause legitimate users to access expired session data.
Related topic recommendations: php session (including pictures, texts, videos, cases)
The above is the detailed content of How to implement session management in php. For more information, please follow other related articles on the PHP Chinese website!