开发者

Implementing Session Hijacking prevention, properly

I am pretty new to Web Development and I read about CSRF, XSS, and Session Hijacking. One proposed开发者_StackOverflow社区 solution is to simply use a nonce to check the validity of requests. I wrote this script in PHP to prevent session hijacking. I think it is similar in spirit to regenerating the session ID, in that identifiers, or their combination (session ID and the nonce) are changed at every request.

if(!isset($_SESSION["user"]["nonce"]) || 
   $_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
    $nonce = md5(uniqid());
    $_SESSION["user"]["nonce"] = $nonce
    setcookie("SITE_nonce", $nonce, 0, "/path");
}
else
    die("Invalid Request");

Is this enough? I really do not know if I can afford SSL, and I know that it would be a good solution to session highjacks, but I am hoping for some insight to this approach. Am I missing something?


This is really a common problem - discussed many times before. I suggest you visit security pages such as http://owasp.com/index.php/Main_Page for a bunch of very good guides.

As for your implementation: you can also store some sort of hash that you generate first time person comes gets a session and an IP. Also I guess a good time out on cookie.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜