我知道这个话题已经被广泛讨论了,但我还有一些特定的问题没有得到解答。例如:
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');
// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
session_start();
// If the user is already logged
if (isset($_SESSION['uid'])) {
// If the IP or the navigator doesn't match with the one stored in the session
// there's probably a session hijacking going on
if ($_SESSION['ip'] !== getIp() || $_SESSION['user_agent_id'] !== getUserAgentId()) {
// Then it destroys the session
session_unset();
session_destroy();
// Creates a new one
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
}
} else {
session_regenerate_id(true); // Prevent's session fixation
session_id(sha1(uniqid(microtime())); // Sets a random ID for the session
// Set the default values for the session
setSessionDefaults();
$_SESSION['ip'] = getIp(); // Saves the user's IP
$_SESSION['user_agent_id'] = getUserAgentId(); // Saves the user's navigator
}
所以,我的问题是:
ini_set是否提供足够的安全性?- 保存用户的IP和浏览器信息,然后每次加载页面时检查它来检测会话劫持是否可行?这样做会有什么问题吗?
- 使用
session_regenerate_id()是否正确? - 使用
session_id()是否正确?
session_regenerate_id()会根据你的INI设置为会话ID生成一个随机ID。那么,当session_regenerate_id()已经为你设置了一个新的ID时,为什么还需要调用session_id(sha1(uniqid(microtime())))来设置一个新的ID呢?http://bit.ly/uL2Pc6 - Avicinnian