插件68：保证会话安全

最新推荐文章于 2024-09-20 21:32:51 发布

manbujingxin

最新推荐文章于 2024-09-20 21:32:51 发布

阅读量728

点赞数

分类专栏： PHP快速开发工具箱（一百个插件工具）文章标签： session variables email user list download

本文链接：https://blog.csdn.net/manbujingxin/article/details/7000788

版权

PHP快速开发工具箱（一百个插件工具）专栏收录该内容

99 篇文章 3 订阅

订阅专栏

<?php // Plug-in 68: Secure Session
/*
 * 插件说明：
 * 插件用于检查某个会话是否安全，如果它不安全，就关闭它。它不需要任何参数。
 * 黑客攻击会利用“劫持”PHP会话。可以有多种方式实现，但是一个严重的安全漏洞就是黑客通过GET URL字符串尾确定会话ID的网站。
 * 凭借这些信息黑客可以启动一个会话，然后通过垃圾信息或其他连接传递这个URL地址，然后他们通过这个地址返回，并搜索这些链接正在被使用的蛛丝马迹，
 * 如果发现这个用户还没推出，他们就可以劫持这个会话并以他的身份访问这个网站。
 */
// This is an executable example with additional code supplied
// To obtain just the plug-ins please click on the Download link

$result = PIPHP_OpenSession();

if (!$result[0]) echo "Could not open session.<br />";
else
{
   list($handle, $pass, $name, $email) = $result[1];

   echo "Retrieving session variables:<pre>";
   echo "Handle: $handle\n";
   echo "Pass:   $pass\n";
   echo "Name:   $name\n";
   echo "Email:  $email</pre>";
}

if (PIPHP_SecureSession()) echo "Session is secure.";
else echo "No session (or unsecured: now terminated).";

function PIPHP_SecureSession()
{
   // Plug-in 68: Secure Session
   //
   // This plug-in tests whether the IP address or User
   // Agent are different from those of the user who
   // initiated the session. If so, it terminates the
   // session to prevent hijacking. It returns TRUE if
   // the session appears secure, otherwise it closes
   // any session that appears insecure and returns
   // FALSE. If the session doesn't exists it returns
   // FALSE. It doesn't take any arguments.
   
   $ipnum = getenv("REMOTE_ADDR");
   $agent = getenv("HTTP_USER_AGENT");

   if (isset($_SESSION['ipnum']))
   {
      if ($ipnum != $_SESSION['ipnum'] ||
         $agent != $_SESSION['agent'])
      {
         PIPHP_CloseSession();
         return FALSE;
      }
      else return TRUE;
   }
   else return FALSE;
}

// The plug-ins below are included here to ensure they
// are available to the main plug-in which relies on them

function PIPHP_OpenSession()
{
   // Plug-in 66: Open Session
   //
   // This plug-in returns the four user variables.
   // It doesn't take any parameters. On success it
   // returns a two-element array, the first of which
   // has the value FALSE, and the second is an array
   // of values. On failure (if the session variables
   // don't exists, for example), it returns a single
   // element array with the value FALSE. An easy way
   // to read the return values is with a list()
   // statement, like this:
   //
   //    $result = PIPHP_ReadSession();
   //    list($h, $p, $n, $e) = $result[1];

   if (!session_start()) return array(FALSE);
   if (!isset($_SESSION['handle'])) return array(FALSE);

   $vars = array();
   $vars[] = $_SESSION['handle'];
   $vars[] = $_SESSION['pass'];
   $vars[] = $_SESSION['name'];
   $vars[] = $_SESSION['email'];
   return array(TRUE, $vars);
}

function PIPHP_CloseSession()
{
   // Plug-in 67: Close Session
   //
   // This plug-in ends a previously started session.
   // It does not take any arguments and returns TRUE
   // on success, otherwise FALSE.

	$_SESSION = array();

	if (session_id() != "" ||
       isset($_COOKIE[session_name()]))
	   setcookie(session_name(), '', time() - 2592000, '/');

	return @session_destroy();
}

?>