我的网站是用PHP构建的。我想知道如何测试会话是否中断或是否容易受到任何安全攻击。有没有可用的工具或我必须手动完成?
答案 0 :(得分:0)
您能提供更多信息吗?
会话存储在您的服务器中,您可以远程服务器查看/销毁会话
但在编程时,您可以使用
检查所有会话 foreach ($_SESSION as $key=>$val)
echo $key." ".$val;
安全问题
为了确保会话安全,有几件事要做:
1.Use SSL when authenticating users or performing sensitive operations.
2.Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
3.Have sessions time out
4.Don't use register globals
5.Store authentication details on the server. That is, don't send details such as username in the cookie.
6.Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hijacking.
7.You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
8.Lock down access to the sessions on the file system or use custom session handling
For sensitive operations consider requiring logged in users to provide their authenication details again