dousi2553 2016-12-14 16:05 采纳率: 0%
浏览 32

通过GET在脚本中分配sid(会话ID)是危险的吗?

I have seen that I can change the browser and continue to keep the information stored in the session if I assign it with session_id(sid).

I have prepared the following script and it works correctly to keep the session of the sid that I want.

<?php
    echo(session_id());
    if ((isset($_GET['sid'])) && ($_GET['sid'] != session_id())) {
        session_destroy();
        session_id($_GET['sid']);
        session_start();
    }
    echo('<br/>' . session_id());
?>

<pre><?= print_r($_SESSION); ?></pre>
<pre><?= print_r($_COOKIE); ?></pre>

Possible problems and solutions:

- Problem 01: Any string used in $_GET['sid'] ends up generating a session and therefore a file in C:/PHPSSID/sess_xxxxx. Someone could generate a loop and fill the server with content.

Solution: Is it possible to check if a sid exists? If the session exists then it is used otherwise nothing is done. But I have not found any function similar to session_id_exists. I think the only possibility would be to manually check if the file exists manually. Is there another solution?

- Problem 02: In addition to the previous problem. Are there any more security breaches? Is it easy for someone to generate the existing sid from another user? I think it generates 26 digits.

Documentation http://php.net/manual/en/function.session-id.php

  • 写回答

1条回答 默认 最新

  • dpbsy60000 2016-12-14 16:18
    关注

    You can force the server to accept only existing session identifiers using the session.use_strict_mode setting. From the docs:

    session.use_strict_mode boolean

    session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled).

    Note: Enabling session.use_strict_mode is mandatory for general session security. All sites are advised to enable this. See session_create_id() example code for more details.

    That said, this is problematic for a lot of reasons. For example, you open yourself up to spying/man-in-the-middle attacks, among other problems. As explained by the Open Web Application Security Project:

    Which is the best way to transmit session ids- in cookies, or URL or a hidden variable?

    Transmitting session IDs in the URL can lead to several risks. Shoulder surfers can see the session ID; if the URL gets cached on the client system, the session ID will also be stored; the session ID will get stored in the referrer logs of other sites. Hidden variables are not always practical as every request might not be a POST. Cookies are the safest method as cookies do not get cached, are not visible in the W3C or referrer logs, and most users anyway accept cookies.

    If you don't rate-limit people or use a WAF (Web Application Firewall), an attacker could theoretically brute-force IDs until they hit a real one, perhaps even an administrator. Depending on how securely you generate your IDs, that might be unrealistic or very practical.

    评论

报告相同问题?

悬赏问题

  • ¥15 smptlib使用465端口发送邮件失败
  • ¥200 总是报错,能帮助用python实现程序实现高斯正反算吗?有偿
  • ¥15 对于squad数据集的基于bert模型的微调
  • ¥15 为什么我运行这个网络会出现以下报错?CRNN神经网络
  • ¥20 steam下载游戏占用内存
  • ¥15 CST保存项目时失败
  • ¥15 树莓派5怎么用camera module 3啊
  • ¥20 java在应用程序里获取不到扬声器设备
  • ¥15 echarts动画效果的问题,请帮我添加一个动画。不要机器人回答。
  • ¥15 Attention is all you need 的代码运行