开发者

Implementing Session Hijacking prevention, properly

问答 作者:

I am pretty new to Web Development and I read about CSRF, XSS, and Session Hijacking. One proposed开发者_StackOverflow社区 solution is to simply use a nonce to check the validity of requests. I wrote this script in PHP to prevent session hijacking. I think it is similar in spirit to regenerating the session ID, in that identifiers, or their combination (session ID and the nonce) are changed at every request.

if(!isset($_SESSION["user"]["nonce"]) || 
   $_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
    $nonce = md5(uniqid());
    $_SESSION["user"]["nonce"] = $nonce
    setcookie("SITE_nonce", $nonce, 0, "/path");
}
else
    die("Invalid Request");

Is this enough? I really do not know if I can afford SSL, and I know that it would be a good solution to session highjacks, but I am hoping for some insight to this approach. Am I missing something?

This is really a common problem - discussed many times before. I suggest you visit security pages such as http://owasp.com/index.php/Main_Page for a bunch of very good guides.

As for your implementation: you can also store some sort of hash that you generate first time person comes gets a session and an IP. Also I guess a good time out on cookie.

继续阅读:phpsession-hijacking

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9