I read a paper in the php manual about session vulnerability. I learned that I need to bind my session to the user SSL certificate, and verify t开发者_开发问答hat on every page. I don't quite know what this means.
My site has SSL on every page, there is never any switch and the user can neve access it without https.
Do I need to take measures, in my code, to protect my sessions?
I would recomment to restrict the session cookie to HTTPS pages only, even if you don't switch to non secure pages. This can be done before calling the session_start() function with session_set_cookie_params(), set the parameter $secure
to true. I didn't hear of a need to verificate the cookie, the cookie should be transferred encrypted.
session_set_cookie_params(0, '/', '', true, true);
session_start();
To prevent session fixation, you should transfer the session id only with a cookie and not in the URL. See the session.use_only_cookies
setting. To be on the safe site, you can regenerate the session id after login:
login.php:
session_set_cookie_params(0, '/', '', true, true);
session_start();
session_regenerate_id(true);
This generates a new cookie with a different session id, but keeps the content of the session.
If you're talking of client-certificate authentication (by which the client presents a certificate to authenticate to the server), you're probably use the server's authentication layer to provide you with an ID. Assuming Apache Httpd, that can be done with SSLOptions +FakeBasicAuth
for example. From PHP's point of view, it's not much different to using HTTP Basic authentication after this (and you could bind a PHP session to this form of authentication).
If you're not talking about client-certificates, but in SSL/TLS session IDs, the notion of an SSL/TLS session is completely different from the PHP session. The SSL/TLS session may legitimately change during a PHP session, for a number of reason (including connection loss, time out, parallel connection to download multiple items on the page at the same time, ...). The effect of such a change will be completely transparent to the HTTP layer. There is no link between the two kinds of sessions, and using the SSL/TLS session ID as a basis for the PHP session ID is more likely to create trouble than anything else.
精彩评论