原文出处：http://devzone.zend.com/article/1786-PHP-Security-Tip-7
翻译：[email protected]

Today's Security tip comes from Kevin Schroeder and the bright young minds over at Zend Professional Services.

今天的安全技巧来自于凯文施罗德以及他在Zend专业服务中年轻有为的心。

When using session_regenerate_id() to protect against session fixation it's usually a good idea to remove the old session ID.

当使用session_regenerate_id() 来防止session的固定照平常消除旧的session ID是个不错的想法

For example, the script

举个例子，脚本

<?php

session_start();
$_SESSION['data'] = time();
session_regenerate_id();

?>

Go to the URL once and check your /tmp directory
移动URL到你的/tmp文件夹

sess_82c6980017e100277a63983142fd454c
sess_a4bab88e6dfa6e900ade21e3fbd27a53

Go again and you'll see
再执行一次然后你将会看到

sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c

And again, and you'll see
然后再来，你会看到

sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c 
sess_dd88c05b724d80b30c90309847f2e919

Those sessions are still active. To remove them when regenerating the ID use the following code:
这些session依然还是活动的。要想在更新ID的时候删除他们就应该使用下面的代码：

<?php
session_start();
$_SESSION['data'] = time();
session_regenerate_id(true);
?>

If you're using your own session handler this will also cause your destroy callback function to be called.

如果你在使用你自己的session处理那么这个也会引起你的销毁回收函数被调用。

While this will not be make or break when building a secure application it gives you a little added security against session fixation that costs you 4 characters of code.

尽管在建立一个安全应用程序的时候这个不会建立或是破坏安全性，但起码会给在对付session固定上会给你带来一些安全，而你要做的就是在代码上再敲入4个字符。

评论 (0) All

登陆 | 还没注册？