Ô­Îijö´¦£ºhttp://devzone.zend.com/article/1786-PHP-Security-Tip-7
·­Ò룺linyupark@w3pop.com

Today's Security tip comes from Kevin Schroeder and the bright young minds over at Zend Professional Services.

½ñÌìµÄ°²È«¼¼ÇÉÀ´×ÔÓÚ¿­ÎÄÊ©ÂÞµÂÒÔ¼°ËûÔÚZendרҵ·þÎñÖÐÄêÇáÓÐΪµÄÐÄ¡£

When using session_regenerate_id() to protect against session fixation it's usually a good idea to remove the old session ID.

µ±Ê¹ÓÃsession_regenerate_id() À´·ÀÖ¹sessionµÄ¹Ì¶¨ÕÕƽ³£Ïû³ý¾ÉµÄsession IDÊǸö²»´íµÄÏë·¨

For example, the script

¾Ù¸öÀý×Ó£¬½Å±¾

<?php

session_start();
$_SESSION['data'] = time();
session_regenerate_id();

?>

Go to the URL once and check your /tmp directory
Òƶ¯URLµ½ÄãµÄ/tmpÎļþ¼Ð

sess_82c6980017e100277a63983142fd454c
sess_a4bab88e6dfa6e900ade21e3fbd27a53

Go again and you'll see
ÔÙÖ´ÐÐÒ»´ÎÈ»ºóÄ㽫»á¿´µ½

sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c

And again, and you'll see
È»ºóÔÙÀ´£¬Äã»á¿´µ½

sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c  
sess_dd88c05b724d80b30c90309847f2e919

Those sessions are still active. To remove them when regenerating the ID use the following code:
ÕâЩsessionÒÀÈ»»¹ÊǻµÄ¡£ÒªÏëÔÚ¸üÐÂIDµÄʱºòɾ³ýËûÃǾÍÓ¦¸ÃʹÓÃÏÂÃæµÄ´úÂ룺

<?php
session_start();
$_SESSION['data'] = time();
session_regenerate_id(true);
?>

If you're using your own session handler this will also cause your destroy callback function to be called.

Èç¹ûÄãÔÚʹÓÃÄã×Ô¼ºµÄsession´¦ÀíÄÇôÕâ¸öÒ²»áÒýÆðÄãµÄÏú»Ù»ØÊÕº¯Êý±»µ÷Óá£

While this will not be make or break when building a secure application it gives you a little added security against session fixation that costs you 4 characters of code.

¾¡¹ÜÔÚ½¨Á¢Ò»¸ö°²È«Ó¦ÓóÌÐòµÄʱºòÕâ¸ö²»»á½¨Á¢»òÊÇÆÆ»µ°²È«ÐÔ£¬µ«ÆðÂë»á¸øÔÚ¶Ô¸¶session¹Ì¶¨ÉÏ»á¸øÄã´øÀ´Ò»Ð©°²È«£¬¶øÄãÒª×öµÄ¾ÍÊÇÔÚ´úÂëÉÏÔÙÇÃÈë4¸ö×Ö·û¡£

PHP °²È«¼¼ÇÉÁ¬ÔØ #6[Òë] PHP °²È«¼¼ÇÉÁ¬ÔØ #8[Òë]

ÆÀÂÛ (0) All