如何在 index.php 中加载所有页面时使用 php 防止会话劫持
How to prevent session hijacking with php when all pages are loaded in index.php
我正在尝试构建一个登录系统,其中我使用 index.php?page=login 作为我的登录页面,登录后页面将被重定向到 index.php?page=dashboard .问题是我的系统很容易被会话劫持,所以我需要帮助来构建它的安全。
我的index.php页面
<?php
include 'config.php';
$session = new session();
$session -> start_session($conn, '_h', false);
$page = $_GET['page'];
if($page != 'login' && $page != 'register'){
if (admin_logged_in() == false) {
header("Location:index.php?page=login");
exit();
}
}
if($page != 'dashboard' && $page != 'password' && $page != 'login') {
}else {
include $include.'/header.php';
if(in_array("$page", $hidedesign))
{
}else{
include $include.'/breadcrumb.php';
}
}
?>
<?php include $view; ?>
<!-- footer -->
<?php
if($page != 'dashboard' && $page != 'password' && $page != 'login') {
}else {
include $include.'/footer.php';
}
?>
配置文件
$conn = mysqli_connect("localhost","root","","db_name");
// $fg = 'hello';
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
class session {
public $db, $db_ref, $db_ads, $new_con;
function __construct() {
}
function start_session($connection, $session_name, $secure) {
if($secure==TRUE)
{
$httponly = FALSE;
}
else {
$httponly = true;
}
$session_hash = 'sha512';
ini_set('session.use_trans_sid', FALSE);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', TRUE);
ini_set('session.cookie_httponly', TRUE);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.cookie_secure', TRUE);
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name);
$this -> db = $connection;
//session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));
//register_shutdown_function('session_write_close');
session_start();
session_regenerate_id(true);
}
}
function admin_logged_in() {
if($_SESSION['ip'] != $_SERVER["REMOTE_ADDR"]){
return false;
}
if($_SESSION['user_agent'] != $_SERVER["HTTP_USER_AGENT"]){
return false;
}
if(!isset($_SESSION['admin_logged_in'])) {
return false;
}
return true;
}
浏览量中的登录页面代码
$msg = '';
if(isset($_POST['submit'])){
// $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$myusername = post_value_check($conn,$_POST['email']);
$email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
$mypassword = post_value_check($conn,$_POST['password']);
$error_msg = array();
$error = false;
if($myusername == ''){
$error = true;
$error_msg['myusername_error'] = 'Email is missing.';
}else if(!preg_match($email_exp, $myusername)){
$error = true;
$error_msg['myusername_error'] = 'Enter a valid Email.';
}
if($mypassword == ''){
$error = true;
$error_msg['mypassword_error'] = 'Password is missing.';
}
if($error == true ){
}else{
$q="select * from $tb_admin where email='$myusername'";
$r=mysqli_query($conn,$q);
if($r){
$count = mysqli_num_rows($r);
if($count > 0)
{
$ro = mysqli_fetch_array($r);
$passm = $ro['password'];
// $hashmpassword =
// if($passm==$mypassword){
if(password_verify($mypassword, $passm)){
// $session = new session();
// $session -> start_session($conn, '_h', false);
// session_regenerate_id(true);
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['admin_logged_in'] = 0;
$_SESSION['id']=$ro['id'];
$_SESSION['name']=$ro['name'];
$_SESSION['email']=$ro['email'];
echo"<script>location.replace('index.php?page=dashboard')</script>";
exit();
}else{
$msg.='Password didnot match.';
}
}else{
$msg.= 'No Email exist.';
}
}
}
extract($error_msg);
}
注销
require 'config.php';
$session = new session();
$session -> start_session($conn, '_h', false);
session_destroy();
header('location:index.php?page=login');
exit();
所以在临时文件夹中只生成一个会话文件,每次页面重新加载时该文件都会更改,但是当我尝试以隐身模式访问 URL 时,会生成一个不同的文件,那么如何才能我也防止会话劫持发生。
我认为你无法阻止其他浏览器停止使用你目前编写的代码生成会话文件,因为每次你重新加载页面时,都会在现有会话文件上创建一个会话文件,例如以前您的会话文件是 sess_98765eryu,当您重新加载时,它将通过替换第一个文件生成 sess_324yiuyiui。所以现在当你在不同的浏览器中打开你的 link 时,会生成一个新的会话文件,但如果你使用你的凭据登录,它将是空白的,然后数据将被填充到新的会话文件中,但你的会话文件名将再次可以更改,但其中的数据不会更改。我认为这是一个真正的过程。
关于你的会话劫持你实现的代码,我认为这是真实的,也很正常,你也可以研究更多关于使用 Securing Session INI Settings along this you can also follow some good examples here how to prevent session hijacking with php 的信息。我希望这可以帮助你。 :)
我正在尝试构建一个登录系统,其中我使用 index.php?page=login 作为我的登录页面,登录后页面将被重定向到 index.php?page=dashboard .问题是我的系统很容易被会话劫持,所以我需要帮助来构建它的安全。
我的index.php页面
<?php
include 'config.php';
$session = new session();
$session -> start_session($conn, '_h', false);
$page = $_GET['page'];
if($page != 'login' && $page != 'register'){
if (admin_logged_in() == false) {
header("Location:index.php?page=login");
exit();
}
}
if($page != 'dashboard' && $page != 'password' && $page != 'login') {
}else {
include $include.'/header.php';
if(in_array("$page", $hidedesign))
{
}else{
include $include.'/breadcrumb.php';
}
}
?>
<?php include $view; ?>
<!-- footer -->
<?php
if($page != 'dashboard' && $page != 'password' && $page != 'login') {
}else {
include $include.'/footer.php';
}
?>
配置文件
$conn = mysqli_connect("localhost","root","","db_name");
// $fg = 'hello';
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
class session {
public $db, $db_ref, $db_ads, $new_con;
function __construct() {
}
function start_session($connection, $session_name, $secure) {
if($secure==TRUE)
{
$httponly = FALSE;
}
else {
$httponly = true;
}
$session_hash = 'sha512';
ini_set('session.use_trans_sid', FALSE);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', TRUE);
ini_set('session.cookie_httponly', TRUE);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.cookie_secure', TRUE);
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name);
$this -> db = $connection;
//session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));
//register_shutdown_function('session_write_close');
session_start();
session_regenerate_id(true);
}
}
function admin_logged_in() {
if($_SESSION['ip'] != $_SERVER["REMOTE_ADDR"]){
return false;
}
if($_SESSION['user_agent'] != $_SERVER["HTTP_USER_AGENT"]){
return false;
}
if(!isset($_SESSION['admin_logged_in'])) {
return false;
}
return true;
}
浏览量中的登录页面代码
$msg = '';
if(isset($_POST['submit'])){
// $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$myusername = post_value_check($conn,$_POST['email']);
$email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
$mypassword = post_value_check($conn,$_POST['password']);
$error_msg = array();
$error = false;
if($myusername == ''){
$error = true;
$error_msg['myusername_error'] = 'Email is missing.';
}else if(!preg_match($email_exp, $myusername)){
$error = true;
$error_msg['myusername_error'] = 'Enter a valid Email.';
}
if($mypassword == ''){
$error = true;
$error_msg['mypassword_error'] = 'Password is missing.';
}
if($error == true ){
}else{
$q="select * from $tb_admin where email='$myusername'";
$r=mysqli_query($conn,$q);
if($r){
$count = mysqli_num_rows($r);
if($count > 0)
{
$ro = mysqli_fetch_array($r);
$passm = $ro['password'];
// $hashmpassword =
// if($passm==$mypassword){
if(password_verify($mypassword, $passm)){
// $session = new session();
// $session -> start_session($conn, '_h', false);
// session_regenerate_id(true);
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['admin_logged_in'] = 0;
$_SESSION['id']=$ro['id'];
$_SESSION['name']=$ro['name'];
$_SESSION['email']=$ro['email'];
echo"<script>location.replace('index.php?page=dashboard')</script>";
exit();
}else{
$msg.='Password didnot match.';
}
}else{
$msg.= 'No Email exist.';
}
}
}
extract($error_msg);
}
注销
require 'config.php';
$session = new session();
$session -> start_session($conn, '_h', false);
session_destroy();
header('location:index.php?page=login');
exit();
所以在临时文件夹中只生成一个会话文件,每次页面重新加载时该文件都会更改,但是当我尝试以隐身模式访问 URL 时,会生成一个不同的文件,那么如何才能我也防止会话劫持发生。
我认为你无法阻止其他浏览器停止使用你目前编写的代码生成会话文件,因为每次你重新加载页面时,都会在现有会话文件上创建一个会话文件,例如以前您的会话文件是 sess_98765eryu,当您重新加载时,它将通过替换第一个文件生成 sess_324yiuyiui。所以现在当你在不同的浏览器中打开你的 link 时,会生成一个新的会话文件,但如果你使用你的凭据登录,它将是空白的,然后数据将被填充到新的会话文件中,但你的会话文件名将再次可以更改,但其中的数据不会更改。我认为这是一个真正的过程。
关于你的会话劫持你实现的代码,我认为这是真实的,也很正常,你也可以研究更多关于使用 Securing Session INI Settings along this you can also follow some good examples here how to prevent session hijacking with php 的信息。我希望这可以帮助你。 :)