【问题标题】:how to test my session?如何测试我的会话?
【发布时间】:2012-11-03 19:18:14
【问题描述】:

我的网站是用 PHP 构建的。我想知道如何测试会话是否中断或是否容易受到任何安全攻击。有没有可用的工具或者我必须手动完成?

【问题讨论】:

  • 你说的“破”是什么意思?
  • 我们的一些用户抱怨他们登录到不同的用户会话......这就是我所说的会话中断......如果可以的话,建议任何帮助......

标签: session session-cookies session-timeout


【解决方案1】:

您能提供更多信息吗?

会话存储在您的服务器中,您可以远程查看/销毁会话

但在编程中,您可以使用

检查所有会话
 foreach ($_SESSION as $key=>$val)
    echo $key." ".$val;

对于安全问题

为了确保您的会话安全,需要做几件事:

1.Use SSL when authenticating users or performing sensitive operations.

2.Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.

3.Have sessions time out

4.Don't use register globals

5.Store authentication details on the server. That is, don't send details such as username in the cookie.

6.Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking.

7.You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).

8.Lock down access to the sessions on the file system or use custom session handling
For sensitive operations consider requiring logged in users to provide their authenication details again

【讨论】:

  • 谢谢 Leon .....问题是一些用户抱怨他们被引导到其他用户的会话。所以我想知道是什么导致了这种活动......
  • 同时使用cookies和会话的登录系统?
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 2014-07-08
  • 1970-01-01
  • 1970-01-01
  • 2021-09-01
  • 1970-01-01
  • 1970-01-01
  • 2013-03-05
相关资源
最近更新 更多