doudouwen2763 2011-08-24 18:40
浏览 51
已采纳

我应该在每个页面上重新生成会话ID吗?

I am trying to add more security to my user authentication sessions. When the user login I regenerate_session_id but I would like your answer on if I regenerate_session_id on every page that I authenticate the user will help me out.

authenticate user on each page

<?php
    session_start();

    if(!isset($_SESSION['MEMBER_ID']) || (trim($_SESSION['MEMBER_ID']) == '')) {
        header("location: denied.php");
        exit();
    }
?>

I changed this to

session_start();

if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
    header("location: access-denied.php");
    exit();
} else {

session_regenerate_id(); }
  • 写回答

2条回答 默认 最新

  • duandeng2265 2011-08-24 18:50
    关注

    You may use session_regenerate_id to prevent session fixation attacks, in which the attacker learns the session ID of a given user then "hijacks" that session ID to act in place of the user.

    However, care must be taken. For one, you have to consider asynchronous requests. If you have many concurrent requests coming from a user, you'll want to avoid a situation where one script is using session data when another tries to regenerate - one script is using data that the other is trying to destroy.

    Also, this does add overhead. Regenerating every request is probably an overkill. Instead, try keeping a request counter; every 10 requests (or so, arbitrary selection), regenerate the ID.

    Be sure to pass the argument as true - you don't want or need the old session data sitting around (keeping in mind, still, concurrent requests). See the (docs) for more information.

    All that said - this mechanism is a sort of "micro-enhancement" that will give you more false sense of security than actual security. Session-fixation attacks are not very common, especially if you're already taking other measures to bolster security. Nothing can replace, for example, using HTTPS for secure connection; nothing can replace password complexity requirements.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 关于#vue.js#的问题:word excel和ppt预览问题语言-javascript)
  • ¥15 Apache显示系统错误3该如何解决?
  • ¥30 uniapp小程序苹果手机加载gif图片不显示动效?
  • ¥20 js怎么实现跨域问题
  • ¥15 C++dll二次开发,C#调用
  • ¥15 请教,如何使用C#加载本地摄像头进行逐帧推流
  • ¥15 Python easyocr无法顺利执行,如何解决?
  • ¥15 为什么会突然npm err!啊
  • ¥15 java服务连接es读取列表数据,服务连接本地es获取数据时的速度很快,但是换成远端的es就会非常慢,这是为什么呢
  • ¥15 vxworks交叉编译gcc报错error: missing binary operator before token "("