标签云

微信群

扫码加入我们

WeChat QR Code


Using SSL only for some operations is not enough, unless you have separate sessions for encrypted and unencrypted traffic. If you use single session over HTTPS and HTTP, attacker will steal it on first non-HTTPS request.

2018年10月22日16分37秒

-1 the user agent is trivial to spoof. What you are describing wastes code and is not a security system.

2018年10月22日16分37秒

The Rook, it may be a trivial barrier (the attacker can capture a victim's user-agent using their own site) and relies on security through obscurity but it is still one extra barrier. If the User-Agent HTTP was to change during the session use, it would be extremely suspicious and most likely an attack. I never said you can use it alone. If you combine it with the other techniques you have a much more secure site.

2018年10月21日16分37秒

grom I think its like putting a piece of scotch tape across your door and saying it will prevent people from breaking in.

2018年10月21日16分37秒

If you're checking the user agent, you'll block all requests from IE8 users when they toggle compatibility mode. See the fun I had tracking down this problem in my own code: serverfault.com/questions/200018/http-302-problem-on-ie7. I'm taking the user agent check out, because it's such a trivial thing to spoof, as others have said.

2018年10月22日16分37秒

+1 for XSS-prevention. Without that it's impossible to protect against CSRF, and thus somebody can "ride" the session without even getting the session ID.

2018年10月21日16分37秒

This has no relation to the question at all.

2018年10月22日16分37秒

Really? Then why in the accepted answer do they mention not to use register globals? Wouldn't, as far as most run-of-the-mill developers are concerned, register globals and form variable handling fall under the umbrella of "sessions" even if it isn't technically part of the "session" object?

2018年10月21日16分37秒

I agree, this does not fully answer the question, but it is definitely PART of the answer to the question. Again, this fleshes out a bullet point in the accepted answer, "Don't use register globals". This tells what to do instead.

2018年10月21日16分37秒

Can you elaborate?

2018年10月21日16分37秒

httpd.conf -> <FilesMatch "\.(php|phtml|aspx|htm|html)$">Header set X-XSS-Protection "1"</FilesMatch>

2018年10月22日16分37秒

Be aware that X-XSS-Protection isn't really useful at all. In fact, the protecting algorithm itself could actually be exploited, making it worse than before.

2018年10月22日16分37秒

IP can legitimately change if user is behind load-balanced proxy farm.

2018年10月22日16分37秒

And user_agent can change every time a user upgrades their browser.

2018年10月21日16分37秒

scotts I agree with the IP part but for the browser upgrade, you would set the session when they login so I don't see how they would upgrade there browser without creating a new session once they login again.

2018年10月22日16分37秒

I believe the user_agent can also change when toggling between compatibly mode in IE8. It's also very easy to fake.

2018年10月21日16分37秒

Yep but what about users that had static IP eq GSM and is changed every half hour. So, stored IP in Session + host name, WHEN IP != REMOTE_ADDR check host and compare hostanmes eq. 12.12.12.holand.nl-> when is holand.nl == true. But some host had IP based hostname Then need compare mask 88.99.XX.XX

2018年10月21日16分37秒