Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
464 views
in Technique[技术] by (71.8m points)

php - Session token - how does it work?

I'm wondering how you could best protect sessions. I've searched a bit and find a lot of answers, but many of them are just too confusing.

How to prevent sessions from being hijacked? I've read a lot about "sessions tokens" you generate in a form, but really don't understand what their use is. How does this prevent session hijacking?

I know you don't save things like passwords in sessions, but what CAN you store in them safely? Permissions (like a session variabele which keeps track of the user level. Every time a page is opened, the session variabele is checked. It's it's not a certain number, you get an "access-denied" message displayed)? Or how do you handle this best?

Thank you!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can basically store anything in the session that you want, it is just considered "best" practice not to include any security sensitive information, such as passwords, in case a layer of security is compromised.

The first step to preventing session hijacking is to not pass your session_id() via url. Users are stupid, and they will post links on their blogs with their session id, which would basically give whoever clicked that link access to their session. Therefore, it is recommended to store your session id in the users cookie.

With that said, you want to filter and escape all your user input. If you have an XSS injection, and the user is able to inject javascript, they will be able to read your cookies without a problem.

From there, you generally want to regenerate_session_id() on any major action on your website, to prevent session fixation.

It's pretty simple, and that about sums it up.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...