当前位置: 首页 > 网络学院 > 服务端脚本教程 > PHP > PHP 安全技巧连载 #7[译]
原文出处:http://devzone.zend.com/article/1786-PHP-Security-Tip-7
翻译:[email protected]
Today's Security tip comes from Kevin Schroeder and the bright young minds over at Zend Professional Services.
今天的安全技巧来自于凯文施罗德以及他在Zend专业服务中年轻有为的心。
When using session_regenerate_id() to protect against session fixation it's usually a good idea to remove the old session ID.
当使用session_regenerate_id() 来防止session的固定照平常消除旧的session ID是个不错的想法
For example, the script
举个例子,脚本
<?php
session_start();
$_SESSION['data'] = time();
session_regenerate_id();
?>
Go to the URL once and check your /tmp directory
移动URL到你的/tmp文件夹
sess_82c6980017e100277a63983142fd454c
sess_a4bab88e6dfa6e900ade21e3fbd27a53
Go again and you'll see
再执行一次然后你将会看到
sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c
And again, and you'll see
然后再来,你会看到
sess_984c5230acca90b5a75eddb89bb48354
sess_a4bab88e6dfa6e900ade21e3fbd27a53
sess_82c6980017e100277a63983142fd454c
sess_dd88c05b724d80b30c90309847f2e919
Those sessions are still active. To remove them when regenerating the ID use the following code:
这些session依然还是活动的。要想在更新ID的时候删除他们就应该使用下面的代码:
<?php
session_start();
$_SESSION['data'] = time();
session_regenerate_id(true);
?>
If you're using your own session handler this will also cause your destroy callback function to be called.
如果你在使用你自己的session处理那么这个也会引起你的销毁回收函数被调用。
While this will not be make or break when building a secure application it gives you a little added security against session fixation that costs you 4 characters of code.
尽管在建立一个安全应用程序的时候这个不会建立或是破坏安全性,但起码会给在对付session固定上会给你带来一些安全,而你要做的就是在代码上再敲入4个字符。