Got this trick from the codertips (thanks bro)..
Many webmasters doesn't put attention to session security. There are two different way to make a login, using pure session or with cookies.
We will talk about session first and it is security in this post.
Steps to session security
1- Not filtered GET, POST, REQUEST data2- Using session_regenerate_id()
3- Acsepting http only cookies
4- Manually expiring sessions
5- Php.ini modifications
Lets Begin
To start a session we start by:<?phpIt will print hello world in the monitor. :)
session_start(); // it starts sessions
?>
A live example is echoing "Hello World"
<?php
session_start();
// string to print
$string = "Hello World";
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>
Try it!
Not filtered GET, POST, REQUEST data
If you are giving to a session a value from forms make sure to filter all bad charachters.Here is a live example of a vulnerability:
<?php
session_start();
/* attacker using an evil javascript like:
<script>alert(0)</script>
which will popup a "0"
*/
$string = $_GET['string'];
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>
What happened here is that GET data are not filterd against Cross Site Scripting(XSS Attacks), think when the data get posted in mysql database and attacker executes sql injection scripts.
Make sure this kind of data is always filtered.
Using session_regenerate_id()
Whats all about this function ??Well this function is very inportant!
a- When you refresh the page you get a new session id
b- When you close the browser the session gets destroyed
c- It will prevent session stealing
To implement it just simply do:
<?php
session_start();
session_regenerate_id();
?>
Acsepting http only cookies
This is an php.ini function, php.ini explains it as: Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. for more about it you can read on php.net
To implement it just simply do:
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
?>
Manually expiring sessions
We can use time() to create a session when we last logged in and destroy it after X time.<?phpWhen we nextly access it we do a check for expiration:
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// record last login
$_SESSION['lastlogin'] = time();
?>
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// check if session is more old than 20 seconds
if($_SESSION['lastlogin'] > time() - 20){
die("Session expired, please relogin.");
}
?>
Php.ini modifications
We gonna make some modifications on php.ini file.You can use ctrl+f to search for strings.
session.save_path = "c:/wamp/tmp" (where the sessions will be saved)it is good to change this 2 options or more (depending on your needs)
session.gc_maxlifetime = 1440 (maximum time session will be alive)
0 komentar:
Posting Komentar